CVE-2026-10796
Command Injection in nvm Node Version Manager
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: openjs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openjsf | node_version_manager | to 0.40.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects nvm (Node Version Manager) versions through 0.40.4 and involves command injection through malicious version strings supplied by the configured Node.js/io.js mirror.
When commands like `nvm install` read available versions from the mirror's index.tab file, they use these version strings without sanitization to build download URLs and shell or awk commands.
Two main vulnerable points exist: the nvm_download() function uses `eval` to run a curl/wget command string containing the version string, allowing command substitution (e.g., $(id)) to execute arbitrary shell commands; and the nvm_get_checksum() function interpolates the version-derived slug directly into an awk program, enabling arbitrary command execution via awk's system() function.
An attacker who controls the mirror, supplies malicious mirror content, or performs a man-in-the-middle attack on a non-TLS mirror can execute arbitrary commands with the privileges of the user running nvm.
The default TLS-secured mirror (https://nodejs.org) is not affected. The vulnerability was fixed by removing the use of eval, passing arguments safely to curl/wget, passing data safely to awk, and rejecting version strings that do not conform to the expected version grammar.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to execute arbitrary commands with the privileges of the user running nvm by exploiting unsanitized version strings from mirrors. Such unauthorized command execution can lead to compromise of system confidentiality, integrity, and availability.
Because the vulnerability can result in unauthorized access and control over user systems, it may impact compliance with standards and regulations like GDPR and HIPAA that require protection of sensitive data and secure system operations.
Specifically, if an attacker exploits this vulnerability to access or manipulate personal or protected health information, it could lead to violations of data protection requirements under these regulations.
Mitigations include using only the default TLS-secured mirror and applying patches that sanitize inputs and avoid unsafe command execution, which help maintain compliance by reducing the risk of unauthorized command execution.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary commands on your system with the same privileges as the user running nvm.
If you use a non-default mirror that is controlled by an attacker or if a man-in-the-middle attack occurs on an unsecured (non-TLS) mirror, malicious version strings can be injected and executed.
This can lead to compromise of your system's confidentiality, integrity, and availability, as arbitrary shell commands can be run.
The CVSS score of 7.5 (High) reflects the serious impact, including potential data loss, system compromise, or disruption of services.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves execution of arbitrary commands through malicious version strings supplied by a configured Node.js/io.js mirror. Detection involves checking if any version strings used by nvm contain suspicious command substitution patterns such as $(...) or shell metacharacters.
You can inspect the version strings retrieved from the mirror's index.tab file for suspicious content. For example, you might manually fetch and review the index.tab file from your configured mirror URL.
- Use curl or wget to download the index.tab file from your configured mirror and inspect it for suspicious entries:
- curl -s https://your-configured-mirror-url/index.tab | grep -E '\$\(|`|;|&&|\|\|'
- wget -qO- https://your-configured-mirror-url/index.tab | grep -E '\$\(|`|;|&&|\|\|'
Additionally, monitor for unexpected files or side effects that might indicate command execution, such as unexpected files created in /tmp or unusual processes spawned during nvm install operations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should avoid using non-default or non-TLS mirrors for nvm operations, as the default mirror (https://nodejs.org over TLS) is not affected.
Update nvm to version 0.40.5 or later, where the vulnerability is fixed by removing unsafe eval usage, sanitizing version strings, and passing arguments safely to shell commands and awk.
- Use only the official default HTTPS mirror for Node.js versions.
- Upgrade nvm to the latest version that includes the security patches.
- If upgrading immediately is not possible, manually validate and sanitize version strings before use, rejecting any containing suspicious characters outside the allowed set [0-9A-Za-z._+-].
These steps prevent attackers from supplying malicious version strings that could lead to arbitrary command execution.