Command Injection Vulnerability in Node Version Manager by NVM
CVE-2026-1665

5.4MEDIUM

Key Information:

Vendor: Nvm-sh
Status: Nvm
Vendor: CVE Published:; 29 January 2026

What is CVE-2026-1665?

A command injection vulnerability exists in Node Version Manager (NVM) versions 0.40.3 and earlier. This issue arises from the nvm_download() function, which uses eval to execute wget commands without properly sanitizing the NVM_AUTH_HEADER environment variable. As a result, an attacker can exploit this vulnerability by setting malicious environment variables in a user's shell environment—possibly through compromised CI/CD configurations or Docker images. When victims run NVM commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote', arbitrary shell commands can be executed, leading to potential unauthorized actions in the victim's system.

Affected Version(s)

nvm 0.40.0 <= 0.40.3

nvm 0.40.4

References

https://github.com/nvm-sh/nvm/commit/44e2590cdf257faf7d88...

patch

https://github.com/nvm-sh/nvm/releases/tag/v0.40.4

release-notes

https://github.com/nvm-sh/nvm

product

CVSS V4

Score:

5.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 29, 2026
Vulnerability Reserved
Jan 29, 2026

Credit

Jiyong Yang (sy2n0@naver.com)

CVE-2026-1665 Data

JSON

Nvm-sh

What is CVE-2026-1665?

Affected Version(s)

References

CVSS V4

Timeline

Credit