Description

A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'.

INFO

Published Date :

2026-01-29T23:04:05.741Z

Last Modified :

2026-01-30T18:27:52.134Z

Source :

openjs
AFFECTED PRODUCTS

The following products are affected by CVE-2026-1665 vulnerability.

Vendors Products
Nvm-sh
  • Nvm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-1665.

URL Resource
https://github.com/nvm-sh/nvm cve-icon cve-icon
https://github.com/nvm-sh/nvm/commit/44e2590cdf257faf7d885e4470be8dc66cec9506 cve-icon cve-icon
https://github.com/nvm-sh/nvm/pull/3380 cve-icon cve-icon
https://github.com/nvm-sh/nvm/releases/tag/v0.40.4 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability