CVE-2026-1665 Overview
A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as nvm install or nvm ls-remote.
Critical Impact
Attackers with the ability to control environment variables can achieve arbitrary command execution when victims run common nvm download operations, potentially leading to full system compromise in development and CI/CD environments.
Affected Products
- nvm (Node Version Manager) versions 0.40.3 and below
- Systems using the wget download path in nvm
- CI/CD pipelines and Docker environments utilizing nvm
Discovery Timeline
- 2026-01-29 - CVE CVE-2026-1665 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-1665
Vulnerability Analysis
This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as Command Injection. The flaw stems from an inconsistent security implementation between the curl and wget code paths within the nvm_download() function.
While the curl code path properly sanitized the NVM_AUTH_HEADER environment variable, the wget code path failed to apply the same sanitization. This oversight creates an exploitable attack surface when nvm uses wget as its download mechanism.
The vulnerability requires local access and specific preconditions—an attacker must be able to set environment variables in the victim's shell environment. Common attack scenarios include malicious CI/CD configurations, compromised dotfiles (such as .bashrc or .zshrc), or trojanized Docker images that pre-set the malicious environment variable.
Root Cause
The root cause is the direct interpolation of the unsanitized NVM_AUTH_HEADER environment variable into a command string that is subsequently executed via eval. The wget code path constructed the arguments string by appending the raw header value without calling the nvm_sanitize_auth_header function, unlike the curl implementation which properly sanitized the input.
Attack Vector
The attack vector is local, requiring the attacker to have the ability to manipulate environment variables in the target's shell session. Exploitation occurs when a victim executes nvm commands that trigger the download functionality (such as nvm install <version> or nvm ls-remote) while the malicious NVM_AUTH_HEADER environment variable is set.
An attacker could inject shell metacharacters and commands into the NVM_AUTH_HEADER value. When the unsanitized value is passed to eval wget, the injected commands execute with the privileges of the user running nvm.
")
if [ -n "${NVM_AUTH_HEADER:-}" ]; then
- ARGS="${ARGS} --header \"${NVM_AUTH_HEADER}\""
+ sanitized_header=$(nvm_sanitize_auth_header "${NVM_AUTH_HEADER}")
+ ARGS="${ARGS} --header \"${sanitized_header}\""
fi
# shellcheck disable=SC2086
eval wget $ARGS
Source: GitHub Commit 44e2590
Detection Methods for CVE-2026-1665
Indicators of Compromise
- Unusual or malformed values in the NVM_AUTH_HEADER environment variable containing shell metacharacters (;, |, $(), backticks)
- Unexpected child processes spawned from nvm or wget operations
- Suspicious modifications to shell configuration files (.bashrc, .zshrc, .profile) adding NVM_AUTH_HEADER exports
Detection Strategies
- Monitor for unexpected environment variable modifications in CI/CD pipeline logs and container startup scripts
- Audit shell configuration files for unauthorized additions of NVM_AUTH_HEADER exports
- Implement file integrity monitoring on dotfiles and Docker image layers
- Review CI/CD configurations for untrusted environment variable injection points
Monitoring Recommendations
- Enable command-line auditing to capture wget invocations with suspicious header arguments
- Deploy endpoint detection and response (EDR) solutions to identify anomalous process chains originating from nvm operations
- Implement environment variable logging in CI/CD systems to detect malicious injection attempts
How to Mitigate CVE-2026-1665
Immediate Actions Required
- Upgrade nvm to version 0.40.4 or later immediately
- Audit existing NVM_AUTH_HEADER environment variable values across development environments, CI/CD pipelines, and Docker images
- Review and validate all sources of environment variable configuration in your infrastructure
- Scan shell configuration files for unauthorized modifications
Patch Information
The vulnerability has been addressed in nvm version 0.40.4. The fix applies the nvm_sanitize_auth_header function to the NVM_AUTH_HEADER value before interpolating it into the wget command arguments. The patch is available via GitHub Pull Request #3380 and the fixed release can be obtained from GitHub Release v0.40.4.
Workarounds
- Unset the NVM_AUTH_HEADER environment variable if not required: unset NVM_AUTH_HEADER
- Configure nvm to use curl instead of wget where possible, as the curl code path was already properly sanitized
- Restrict write access to shell configuration files and CI/CD pipeline definitions
- Implement environment variable allowlisting in CI/CD systems to prevent injection of unexpected variables
# Upgrade nvm to patched version
cd "$NVM_DIR"
git fetch --tags origin
git checkout v0.40.4
source "$NVM_DIR/nvm.sh"
# Verify installation
nvm --version
# Should output: 0.40.4
# Alternative: Unset potentially malicious environment variable
unset NVM_AUTH_HEADER
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
