CVE-2026-10796
Analyzed Analyzed - Analysis Complete
Command Injection in nvm Node Version Manager

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: openjs

Description
nvm (Node Version Manager) through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as `nvm install` read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs and shell/awk commands. Two sinks are affected by the same untrusted input: nvm_download() built a curl/wget command string and ran it with `eval`, so a version field containing command substitution (for example $(id)) was executed by the local shell; and nvm_get_checksum() interpolated the version-derived download slug into an awk program, so a crafted version could execute arbitrary commands via awk's system(). An attacker who controls the configured mirror, supplies mirror content to a user or CI on a non-default mirror, or machine-in-the-middles a non-TLS mirror can ∴ run arbitrary commands with the privileges of the user running nvm. The default mirror (https://nodejs.org over TLS) is not affected. Fixed on master (pending the next tagged release) by passing every argument as a literal argv element instead of using eval, by passing the value to awk as data via -v instead of interpolating it into the program, and by rejecting any version outside the Node.js/io.js version grammar before it is used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-25
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-10796
EUVD
EUVD-2026-34303
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openjsf node_version_manager to 0.40.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects nvm (Node Version Manager) versions through 0.40.4 and involves command injection through malicious version strings supplied by the configured Node.js/io.js mirror.

When commands like `nvm install` read available versions from the mirror's index.tab file, they use these version strings without sanitization to build download URLs and shell or awk commands.

Two main vulnerable points exist: the nvm_download() function uses `eval` to run a curl/wget command string containing the version string, allowing command substitution (e.g., $(id)) to execute arbitrary shell commands; and the nvm_get_checksum() function interpolates the version-derived slug directly into an awk program, enabling arbitrary command execution via awk's system() function.

An attacker who controls the mirror, supplies malicious mirror content, or performs a man-in-the-middle attack on a non-TLS mirror can execute arbitrary commands with the privileges of the user running nvm.

The default TLS-secured mirror (https://nodejs.org) is not affected. The vulnerability was fixed by removing the use of eval, passing arguments safely to curl/wget, passing data safely to awk, and rejecting version strings that do not conform to the expected version grammar.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary commands on your system with the same privileges as the user running nvm.

If you use a non-default mirror that is controlled by an attacker or if a man-in-the-middle attack occurs on an unsecured (non-TLS) mirror, malicious version strings can be injected and executed.

This can lead to compromise of your system's confidentiality, integrity, and availability, as arbitrary shell commands can be run.

The CVSS score of 7.5 (High) reflects the serious impact, including potential data loss, system compromise, or disruption of services.

Detection Guidance

This vulnerability involves execution of arbitrary commands through malicious version strings supplied by a configured Node.js/io.js mirror. Detection involves checking if any version strings used by nvm contain suspicious command substitution patterns such as $(...) or shell metacharacters.

You can inspect the version strings retrieved from the mirror's index.tab file for suspicious content. For example, you might manually fetch and review the index.tab file from your configured mirror URL.

  • Use curl or wget to download the index.tab file from your configured mirror and inspect it for suspicious entries:
  • curl -s https://your-configured-mirror-url/index.tab | grep -E '\$\(|`|;|&&|\|\|'
  • wget -qO- https://your-configured-mirror-url/index.tab | grep -E '\$\(|`|;|&&|\|\|'

Additionally, monitor for unexpected files or side effects that might indicate command execution, such as unexpected files created in /tmp or unusual processes spawned during nvm install operations.

Mitigation Strategies

To mitigate this vulnerability immediately, you should avoid using non-default or non-TLS mirrors for nvm operations, as the default mirror (https://nodejs.org over TLS) is not affected.

Update nvm to version 0.40.5 or later, where the vulnerability is fixed by removing unsafe eval usage, sanitizing version strings, and passing arguments safely to shell commands and awk.

  • Use only the official default HTTPS mirror for Node.js versions.
  • Upgrade nvm to the latest version that includes the security patches.
  • If upgrading immediately is not possible, manually validate and sanitize version strings before use, rejecting any containing suspicious characters outside the allowed set [0-9A-Za-z._+-].

These steps prevent attackers from supplying malicious version strings that could lead to arbitrary command execution.

Compliance Impact

This vulnerability allows an attacker to execute arbitrary commands with the privileges of the user running nvm by exploiting unsanitized version strings from mirrors. Such unauthorized command execution can lead to compromise of system confidentiality, integrity, and availability.

Because the vulnerability can result in unauthorized access and control over user systems, it may impact compliance with standards and regulations like GDPR and HIPAA that require protection of sensitive data and secure system operations.

Specifically, if an attacker exploits this vulnerability to access or manipulate personal or protected health information, it could lead to violations of data protection requirements under these regulations.

Mitigations include using only the default TLS-secured mirror and applying patches that sanitize inputs and avoid unsafe command execution, which help maintain compliance by reducing the risk of unauthorized command execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10796. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart