VYPR
Medium severityOSV Advisory· Published Jan 29, 2026· Updated Apr 15, 2026

CVE-2026-1665

CVE-2026-1665

Description

A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Nvm Sh/NvmOSV2 versions
    v0.0.1, v0.0.6, v0.1.0, …+ 1 more
    • (no CPE)range: v0.0.1, v0.0.6, v0.1.0, …
    • (no CPE)range: <=0.40.3

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.