FKIE_CVE-2026-1665

Vulnerability from fkie_nvd - Published: 2026-01-29 23:16 - Updated: 2026-02-04 16:34
Severity ?
5.4 (Medium) - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'.
References
ce714d77-add3-4f53-aff5-83d477b104bbhttps://github.com/nvm-sh/nvm
ce714d77-add3-4f53-aff5-83d477b104bbhttps://github.com/nvm-sh/nvm/commit/44e2590cdf257faf7d885e4470be8dc66cec9506
ce714d77-add3-4f53-aff5-83d477b104bbhttps://github.com/nvm-sh/nvm/pull/3380
ce714d77-add3-4f53-aff5-83d477b104bbhttps://github.com/nvm-sh/nvm/releases/tag/v0.40.4
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim\u0027s shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as \u0027nvm install\u0027 or \u0027nvm ls-remote\u0027."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de inyecci\u00f3n de comandos existe en nvm (Node Version Manager) versiones 0.40.3 e inferiores. La funci\u00f3n nvm_download() utiliza eval para ejecutar comandos wget, y la variable de entorno NVM_AUTH_HEADER no fue saneada en la ruta de c\u00f3digo de wget (aunque s\u00ed fue saneada en la ruta de c\u00f3digo de curl). Un atacante que puede establecer variables de entorno en el entorno de shell de una v\u00edctima (por ejemplo, a trav\u00e9s de configuraciones maliciosas de CI/CD, dotfiles comprometidos o im\u00e1genes de Docker) puede inyectar comandos de shell arbitrarios que se ejecutan cuando la v\u00edctima ejecuta comandos nvm que activan descargas, como \u0027nvm install\u0027 o \u0027nvm ls-remote\u0027."
    }
  ],
  "id": "CVE-2026-1665",
  "lastModified": "2026-02-04T16:34:21.763",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-29T23:16:11.707",
  "references": [
    {
      "source": "ce714d77-add3-4f53-aff5-83d477b104bb",
      "url": "https://github.com/nvm-sh/nvm"
    },
    {
      "source": "ce714d77-add3-4f53-aff5-83d477b104bb",
      "url": "https://github.com/nvm-sh/nvm/commit/44e2590cdf257faf7d885e4470be8dc66cec9506"
    },
    {
      "source": "ce714d77-add3-4f53-aff5-83d477b104bb",
      "url": "https://github.com/nvm-sh/nvm/pull/3380"
    },
    {
      "source": "ce714d77-add3-4f53-aff5-83d477b104bb",
      "url": "https://github.com/nvm-sh/nvm/releases/tag/v0.40.4"
    }
  ],
  "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        },
        {
          "lang": "en",
          "value": "CWE-95"
        }
      ],
      "source": "ce714d77-add3-4f53-aff5-83d477b104bb",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.