Skip to main content
CVE Vulnerability Database

CVE-2026-1665: Node Version Manager (nvm) RCE Vulnerability

CVE-2026-1665 is a command injection vulnerability in Node Version Manager (nvm) that allows remote code execution through unsanitized environment variables. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-1665 Overview

A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as nvm install or nvm ls-remote.

Critical Impact

Attackers with the ability to control environment variables can achieve arbitrary command execution when victims run common nvm download operations, potentially leading to full system compromise in development and CI/CD environments.

Affected Products

  • nvm (Node Version Manager) versions 0.40.3 and below
  • Systems using the wget download path in nvm
  • CI/CD pipelines and Docker environments utilizing nvm

Discovery Timeline

  • 2026-01-29 - CVE CVE-2026-1665 published to NVD
  • 2026-01-29 - Last updated in NVD database

Technical Details for CVE-2026-1665

Vulnerability Analysis

This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as Command Injection. The flaw stems from an inconsistent security implementation between the curl and wget code paths within the nvm_download() function.

While the curl code path properly sanitized the NVM_AUTH_HEADER environment variable, the wget code path failed to apply the same sanitization. This oversight creates an exploitable attack surface when nvm uses wget as its download mechanism.

The vulnerability requires local access and specific preconditions—an attacker must be able to set environment variables in the victim's shell environment. Common attack scenarios include malicious CI/CD configurations, compromised dotfiles (such as .bashrc or .zshrc), or trojanized Docker images that pre-set the malicious environment variable.

Root Cause

The root cause is the direct interpolation of the unsanitized NVM_AUTH_HEADER environment variable into a command string that is subsequently executed via eval. The wget code path constructed the arguments string by appending the raw header value without calling the nvm_sanitize_auth_header function, unlike the curl implementation which properly sanitized the input.

Attack Vector

The attack vector is local, requiring the attacker to have the ability to manipulate environment variables in the target's shell session. Exploitation occurs when a victim executes nvm commands that trigger the download functionality (such as nvm install <version> or nvm ls-remote) while the malicious NVM_AUTH_HEADER environment variable is set.

An attacker could inject shell metacharacters and commands into the NVM_AUTH_HEADER value. When the unsanitized value is passed to eval wget, the injected commands execute with the privileges of the user running nvm.

bash
    ")
 
    if [ -n "${NVM_AUTH_HEADER:-}" ]; then
-      ARGS="${ARGS} --header \"${NVM_AUTH_HEADER}\""
+      sanitized_header=$(nvm_sanitize_auth_header "${NVM_AUTH_HEADER}")
+      ARGS="${ARGS} --header \"${sanitized_header}\""
    fi
    # shellcheck disable=SC2086
    eval wget $ARGS

Source: GitHub Commit 44e2590

Detection Methods for CVE-2026-1665

Indicators of Compromise

  • Unusual or malformed values in the NVM_AUTH_HEADER environment variable containing shell metacharacters (;, |, $(), backticks)
  • Unexpected child processes spawned from nvm or wget operations
  • Suspicious modifications to shell configuration files (.bashrc, .zshrc, .profile) adding NVM_AUTH_HEADER exports

Detection Strategies

  • Monitor for unexpected environment variable modifications in CI/CD pipeline logs and container startup scripts
  • Audit shell configuration files for unauthorized additions of NVM_AUTH_HEADER exports
  • Implement file integrity monitoring on dotfiles and Docker image layers
  • Review CI/CD configurations for untrusted environment variable injection points

Monitoring Recommendations

  • Enable command-line auditing to capture wget invocations with suspicious header arguments
  • Deploy endpoint detection and response (EDR) solutions to identify anomalous process chains originating from nvm operations
  • Implement environment variable logging in CI/CD systems to detect malicious injection attempts

How to Mitigate CVE-2026-1665

Immediate Actions Required

  • Upgrade nvm to version 0.40.4 or later immediately
  • Audit existing NVM_AUTH_HEADER environment variable values across development environments, CI/CD pipelines, and Docker images
  • Review and validate all sources of environment variable configuration in your infrastructure
  • Scan shell configuration files for unauthorized modifications

Patch Information

The vulnerability has been addressed in nvm version 0.40.4. The fix applies the nvm_sanitize_auth_header function to the NVM_AUTH_HEADER value before interpolating it into the wget command arguments. The patch is available via GitHub Pull Request #3380 and the fixed release can be obtained from GitHub Release v0.40.4.

Workarounds

  • Unset the NVM_AUTH_HEADER environment variable if not required: unset NVM_AUTH_HEADER
  • Configure nvm to use curl instead of wget where possible, as the curl code path was already properly sanitized
  • Restrict write access to shell configuration files and CI/CD pipeline definitions
  • Implement environment variable allowlisting in CI/CD systems to prevent injection of unexpected variables
bash
# Upgrade nvm to patched version
cd "$NVM_DIR"
git fetch --tags origin
git checkout v0.40.4
source "$NVM_DIR/nvm.sh"

# Verify installation
nvm --version
# Should output: 0.40.4

# Alternative: Unset potentially malicious environment variable
unset NVM_AUTH_HEADER

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.