Node.js Version Manager Vulnerability in NVM by nvm-sh
CVE-2026-15921
What is CVE-2026-15921?
Node Version Manager (nvm) versions from 0.32.1 to 0.40.5 are susceptible to a path traversal vulnerability. When commands like nvm ls-remote are executed, remote LTS aliases can be manipulated by a compromised mirror, enabling attackers to craft special LTS codenames that contain path-traversal sequences. This flaw allows nvm to write version strings to unintended locations outside the designated alias directory, potentially overwriting important user files, including shell startup scripts. Successful exploitation necessitates the use of a malicious or compromised mirror during command execution. The issue has been resolved in version 0.40.6, which implements proper validation of remote LTS codenames to thwart such attacks.
Affected Version(s)
nvm 0.32.1 < 0.40.6
References
CVSS V4
Timeline
Vulnerability published
Vulnerability Reserved
