Description
nvm (Node Version Manager) through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as `nvm install` read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs and shell/awk commands. Two sinks are affected by the same untrusted input: nvm_download() built a curl/wget command string and ran it with `eval`, so a version field containing command substitution (for example $(id)) was executed by the local shell; and nvm_get_checksum() interpolated the version-derived download slug into an awk program, so a crafted version could execute arbitrary commands via awk's system(). An attacker who controls the configured mirror, supplies mirror content to a user or CI on a non-default mirror, or machine-in-the-middles a non-TLS mirror can ∴ run arbitrary commands with the privileges of the user running nvm. The default mirror (https://nodejs.org over TLS) is not affected. Fixed on master (pending the next tagged release) by passing every argument as a literal argv element instead of using eval, by passing the value to awk as data via -v instead of interpolating it into the program, and by rejecting any version outside the Node.js/io.js version grammar before it is used.
Published: 2026-06-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

nvm (Node Version Manager) reads version strings from configured Node.js mirrors and uses them to build download URLs and shell/awk commands without sanitization. A crafted version field such as $(id) triggers command substitution in the evalled curl/wget string and in the awk system() call, allowing an attacker to run arbitrary commands with the privileges of the user executing nvm. The vulnerability is limited to the process of nvm and does not provide network or system‑wide privileges beyond those of the nvm invoker.

Affected Systems

Any installation of nvm-sh:nvm through version 0.40.4 that utilizes a non‑default or potentially compromised mirror. This includes systems where the mirror URL has been manually changed, where an attacker controls the mirror, or where a man‑in‑the‑middle attack can alter mirror content. The default HTTPS endpoint https://nodejs.org is not affected, but any custom mirror configuration exposes the risk.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS is not available. The vulnerability is not listed in the CISA KEV catalog. An attacker must influence the mirror to supply malicious version strings; this is feasible for users who have administrative access to the mirror or who can intercept traffic to a non‑TLS mirror. The exploit path is straightforward once the malicious content is injected, with a very low barrier to successful exploitation if the conditions are met.

Generated by OpenCVE AI on June 4, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade nvm to a version that includes the security fix (e.g., release 0.40.5 or later).
  • Revert to the default nodejs.org mirror https://nodejs.org/, which is served over TLS and is unaffected by this issue.
  • If a custom mirror must be used, ensure it is secured with TLS, verify its authenticity, and confirm that the mirror’s index files do not contain shell syntax before use.

Generated by OpenCVE AI on June 4, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Openjsf
Openjsf node Version Manager
CPEs cpe:2.3:a:openjsf:node_version_manager:*:*:*:*:*:node.js:*:*
Vendors & Products Openjsf
Openjsf node Version Manager

Thu, 04 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Nvm-sh
Nvm-sh nvm
Vendors & Products Nvm-sh
Nvm-sh nvm

Thu, 04 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description nvm (Node Version Manager) through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as `nvm install` read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs and shell/awk commands. Two sinks are affected by the same untrusted input: nvm_download() built a curl/wget command string and ran it with `eval`, so a version field containing command substitution (for example $(id)) was executed by the local shell; and nvm_get_checksum() interpolated the version-derived download slug into an awk program, so a crafted version could execute arbitrary commands via awk's system(). An attacker who controls the configured mirror, supplies mirror content to a user or CI on a non-default mirror, or machine-in-the-middles a non-TLS mirror can ∴ run arbitrary commands with the privileges of the user running nvm. The default mirror (https://nodejs.org over TLS) is not affected. Fixed on master (pending the next tagged release) by passing every argument as a literal argv element instead of using eval, by passing the value to awk as data via -v instead of interpolating it into the program, and by rejecting any version outside the Node.js/io.js version grammar before it is used.
Title nvm executes commands from a malicious Node.js mirror's version strings
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nvm-sh Nvm
Openjsf Node Version Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-06-04T18:11:18.108Z

Reserved: 2026-06-03T21:17:14.118Z

Link: CVE-2026-10796

cve-icon Vulnrichment

Updated: 2026-06-04T18:11:14.134Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T18:16:28.150

Modified: 2026-06-04T20:33:13.913

Link: CVE-2026-10796

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T19:30:21Z

Weaknesses