Arbitrary Command Execution Vulnerability in Node Version Manager by nvm
CVE-2026-10796
What is CVE-2026-10796?
The Node Version Manager (nvm) prior to version 0.40.4 is susceptible to a vulnerability that allows an attacker to execute arbitrary commands through untrusted input in version strings. This occurs during the execution of commands like nvm install, which builds download URLs and shell commands based on the input from a configured Node.js/io.js mirror. Specifically, the use of eval in the nvm_download() function and unchecked interpolation in nvm_get_checksum() makes it possible for a crafted version string to execute arbitrary commands through the shell or awk. This could be exploited by a malicious actor who controls the configured mirror or interferes with a non-TLS mirror, leading to potential security breaches. The vulnerability has been addressed in newer versions by improving command handling through the use of argument lists and input validation.
Affected Version(s)
nvm 0 <= 0.40.4
References
CVSS V4
Timeline
Vulnerability published
Vulnerability Reserved
