CVE-2026-1665
Command Injection in nvm via NVM_AUTH_HEADER in wget code path
Severity Score
5.4
*CVSS v4
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'.
*Credits:
Jiyong Yang (sy2n0@naver.com)
CVSS Scores
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
System
Vulnerable | Subsequent
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2026-01-29 CVE Reserved
- 2026-01-29 CVE Published
- 2026-01-29 CVE Updated
- ---------- EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CAPEC
- CAPEC-6: Argument Injection
- CAPEC-88: OS Command Injection
References (4)
| URL | Tag | Source |
|---|---|---|
| https://github.com/nvm-sh/nvm | Product | |
| https://github.com/nvm-sh/nvm/pull/3380 | X_introduced | |
| https://github.com/nvm-sh/nvm/releases/tag/v0.40.4 | Release Notes |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/nvm-sh/nvm/commit/44e2590cdf257faf7d885e4470be8dc66cec9506 | 2026-01-29 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Nvm-sh Search vendor "Nvm-sh" | Nvm Search vendor "Nvm-sh" for product "Nvm" | >= 0.40.0 <= 0.40.3 Search vendor "Nvm-sh" for product "Nvm" and version " >= 0.40.0 <= 0.40.3" | en |
Affected
| ||||||