Description
A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'.
Published: 2026-01-29
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Apply Patch
AI Analysis

Impact

A command injection vulnerability exists in the Node Version Manager, where the NVM_AUTH_HEADER environment variable is not sanitized in the wget code path used by nvm_download(). The function uses eval to execute wget commands, allowing an attacker to inject arbitrary shell commands that run when any nvm command that triggers a download is executed, such as "nvm install" or "nvm ls-remote". This flaw corresponds to CWE‑78 and CWE‑95, providing a means for an attacker to execute code with the privileges of the user running nvm.

Affected Systems

The vulnerability affects the nvm-sh:nvm product in versions 0.40.3 and earlier. The official fix is included in version 0.40.4 and later, which sanitizes NVM_AUTH_HEADER in the wget code path via nvm_sanitize_auth_header().

Risk and Exploitability

The CVSS score of 5.4 indicates a medium severity, and the EPSS score of less than 1% shows a very low probability of exploitation overall. It is not listed in the CISA KEV catalogue. Exploitation requires an attacker to influence the victim’s shell environment so that a malicious NVM_AUTH_HEADER value is set, which could occur through compromised script files, CI/CD configurations, or poorly secured Docker images. Once the environment variable is set, any user who runs an nvm command that triggers a download will execute the injected shell commands with that user’s permissions.

Generated by OpenCVE AI on April 18, 2026 at 01:15 UTC.

Remediation

Vendor Solution

Upgrade to nvm version 0.40.4 or later, which sanitizes NVM_AUTH_HEADER in the wget code path using nvm_sanitize_auth_header().

OpenCVE Recommended Actions

  • Upgrade to nvm version 0.40.4 or newer, which sanitizes NVM_AUTH_HEADER in the wget code path.
  • Ensure that the NVM_AUTH_HEADER environment variable is not set from untrusted sources; clear it before invoking nvm commands when running in shared or automated environments.
  • Restrict modification of shell configuration files (e.g., .bashrc, .bash_profile) to trusted administrators to prevent malicious injection of environment variables.

Generated by OpenCVE AI on April 18, 2026 at 01:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Nvm-sh
Nvm-sh nvm
Vendors & Products Nvm-sh
Nvm-sh nvm

Thu, 29 Jan 2026 23:15:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'.
Title Command Injection in nvm via NVM_AUTH_HEADER in wget code path
Weaknesses CWE-78
CWE-95
References
Metrics cvssV4_0

{'score': 5.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nvm-sh Nvm
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-01-30T18:27:52.134Z

Reserved: 2026-01-29T21:25:18.405Z

Link: CVE-2026-1665

cve-icon Vulnrichment

Updated: 2026-01-30T18:27:41.029Z

cve-icon NVD

Status : Deferred

Published: 2026-01-29T23:16:11.707

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1665

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:30:16Z

Weaknesses