CVE-2026-1665 (GCVE-0-2026-1665)

Vulnerability from cvelistv5 – Published: 2026-01-29 23:04 – Updated: 2026-01-30 18:27
VLAI?
Title
Command Injection in nvm via NVM_AUTH_HEADER in wget code path
Summary
A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'.
Severity ?
5.4 (Medium)
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE
  • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
Impacted products
Vendor Product Version
nvm-sh nvm Affected: 0.40.0 , ≤ 0.40.3 (semver)
Unaffected: 0.40.4 (semver)
Create a notification for this product.
Credits
Jiyong Yang (sy2n0@naver.com)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1665",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-30T18:27:21.196460Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-30T18:27:52.134Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "nvm",
          "vendor": "nvm-sh",
          "versions": [
            {
              "lessThanOrEqual": "0.40.3",
              "status": "affected",
              "version": "0.40.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "0.40.4",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jiyong Yang (sy2n0@naver.com)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim\u0027s shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as \u0027nvm install\u0027 or \u0027nvm ls-remote\u0027.\u003c/p\u003e"
            }
          ],
          "value": "A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim\u0027s shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as \u0027nvm install\u0027 or \u0027nvm ls-remote\u0027."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-88",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-88 OS Command Injection"
            }
          ]
        },
        {
          "capecId": "CAPEC-6",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-6 Argument Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-95",
              "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-29T23:06:47.873Z",
        "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "shortName": "openjs"
      },
      "references": [
        {
          "name": "Fix commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/nvm-sh/nvm/commit/44e2590cdf257faf7d885e4470be8dc66cec9506"
        },
        {
          "name": "Release v0.40.4",
          "tags": [
            "release-notes"
          ],
          "url": "https://github.com/nvm-sh/nvm/releases/tag/v0.40.4"
        },
        {
          "name": "nvm GitHub repository",
          "tags": [
            "product"
          ],
          "url": "https://github.com/nvm-sh/nvm"
        },
        {
          "tags": [
            "x_introduced"
          ],
          "url": "https://github.com/nvm-sh/nvm/pull/3380"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUpgrade to nvm version 0.40.4 or later, which sanitizes NVM_AUTH_HEADER in the wget code path using nvm_sanitize_auth_header().\u003c/p\u003e"
            }
          ],
          "value": "Upgrade to nvm version 0.40.4 or later, which sanitizes NVM_AUTH_HEADER in the wget code path using nvm_sanitize_auth_header()."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-01-09T00:00:00.000Z",
          "value": "Fix committed"
        },
        {
          "lang": "en",
          "time": "2026-01-29T00:00:00.000Z",
          "value": "v0.40.4 released"
        }
      ],
      "title": "Command Injection in nvm via NVM_AUTH_HEADER in wget code path"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
    "assignerShortName": "openjs",
    "cveId": "CVE-2026-1665",
    "datePublished": "2026-01-29T23:04:05.741Z",
    "dateReserved": "2026-01-29T21:25:18.405Z",
    "dateUpdated": "2026-01-30T18:27:52.134Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-1665\",\"sourceIdentifier\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"published\":\"2026-01-29T23:16:11.707\",\"lastModified\":\"2026-02-04T16:34:21.763\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim\u0027s shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as \u0027nvm install\u0027 or \u0027nvm ls-remote\u0027.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de inyecci\u00f3n de comandos existe en nvm (Node Version Manager) versiones 0.40.3 e inferiores. La funci\u00f3n nvm_download() utiliza eval para ejecutar comandos wget, y la variable de entorno NVM_AUTH_HEADER no fue saneada en la ruta de c\u00f3digo de wget (aunque s\u00ed fue saneada en la ruta de c\u00f3digo de curl). Un atacante que puede establecer variables de entorno en el entorno de shell de una v\u00edctima (por ejemplo, a trav\u00e9s de configuraciones maliciosas de CI/CD, dotfiles comprometidos o im\u00e1genes de Docker) puede inyectar comandos de shell arbitrarios que se ejecutan cuando la v\u00edctima ejecuta comandos nvm que activan descargas, como \u0027nvm install\u0027 o \u0027nvm ls-remote\u0027.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"},{\"lang\":\"en\",\"value\":\"CWE-95\"}]}],\"references\":[{\"url\":\"https://github.com/nvm-sh/nvm\",\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\"},{\"url\":\"https://github.com/nvm-sh/nvm/commit/44e2590cdf257faf7d885e4470be8dc66cec9506\",\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\"},{\"url\":\"https://github.com/nvm-sh/nvm/pull/3380\",\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\"},{\"url\":\"https://github.com/nvm-sh/nvm/releases/tag/v0.40.4\",\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-1665\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-30T18:27:21.196460Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-30T18:27:41.029Z\"}}], \"cna\": {\"title\": \"Command Injection in nvm via NVM_AUTH_HEADER in wget code path\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Jiyong Yang (sy2n0@naver.com)\"}], \"impacts\": [{\"capecId\": \"CAPEC-88\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-88 OS Command Injection\"}]}, {\"capecId\": \"CAPEC-6\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-6 Argument Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.4, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"nvm-sh\", \"product\": \"nvm\", \"versions\": [{\"status\": \"affected\", \"version\": \"0.40.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"0.40.3\"}, {\"status\": \"unaffected\", \"version\": \"0.40.4\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-01-09T00:00:00.000Z\", \"value\": \"Fix committed\"}, {\"lang\": \"en\", \"time\": \"2026-01-29T00:00:00.000Z\", \"value\": \"v0.40.4 released\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade to nvm version 0.40.4 or later, which sanitizes NVM_AUTH_HEADER in the wget code path using nvm_sanitize_auth_header().\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eUpgrade to nvm version 0.40.4 or later, which sanitizes NVM_AUTH_HEADER in the wget code path using nvm_sanitize_auth_header().\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://github.com/nvm-sh/nvm/commit/44e2590cdf257faf7d885e4470be8dc66cec9506\", \"name\": \"Fix commit\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/nvm-sh/nvm/releases/tag/v0.40.4\", \"name\": \"Release v0.40.4\", \"tags\": [\"release-notes\"]}, {\"url\": \"https://github.com/nvm-sh/nvm\", \"name\": \"nvm GitHub repository\", \"tags\": [\"product\"]}, {\"url\": \"https://github.com/nvm-sh/nvm/pull/3380\", \"tags\": [\"x_introduced\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim\u0027s shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as \u0027nvm install\u0027 or \u0027nvm ls-remote\u0027.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eA command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim\u0027s shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as \u0027nvm install\u0027 or \u0027nvm ls-remote\u0027.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-95\", \"description\": \"CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"ce714d77-add3-4f53-aff5-83d477b104bb\", \"shortName\": \"openjs\", \"dateUpdated\": \"2026-01-29T23:06:47.873Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-1665\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-30T18:27:52.134Z\", \"dateReserved\": \"2026-01-29T21:25:18.405Z\", \"assignerOrgId\": \"ce714d77-add3-4f53-aff5-83d477b104bb\", \"datePublished\": \"2026-01-29T23:04:05.741Z\", \"assignerShortName\": \"openjs\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.