Node.js Version Manager Vulnerability in NVM by nvm-sh
CVE-2026-15921

2.1LOW

Key Information:

Vendor

Nvm-sh

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-15921?

Node Version Manager (nvm) versions from 0.32.1 to 0.40.5 are susceptible to a path traversal vulnerability. When commands like nvm ls-remote are executed, remote LTS aliases can be manipulated by a compromised mirror, enabling attackers to craft special LTS codenames that contain path-traversal sequences. This flaw allows nvm to write version strings to unintended locations outside the designated alias directory, potentially overwriting important user files, including shell startup scripts. Successful exploitation necessitates the use of a malicious or compromised mirror during command execution. The issue has been resolved in version 0.40.6, which implements proper validation of remote LTS codenames to thwart such attacks.

Affected Version(s)

nvm 0.32.1 < 0.40.6

References

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sy2n0 (https://github.com/Sy2n0)
Jordan Harband (https://github.com/ljharb)
.