CVE-2026-15921
Received Received - Intake

Path Traversal in Node Version Manager

Vulnerability report for CVE-2026-15921, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: harborist

Description

Node Version Manager (nvm) is a POSIX-compliant shell function for managing multiple node.js versions. In versions 0.32.1 through 0.40.5, `nvm ls-remote` (and other commands that refresh remote LTS aliases, such as `nvm install --lts`) parse the node.js mirror's `index.tab` and use each release's LTS codename field as an alias filename without validating it. A malicious, compromised, or man-in-the-middled mirror can return an LTS codename containing path-traversal sequences such as `../../../.bashrc`, causing nvm to write the associated version string to a path outside `$NVM_DIR/alias`. With the default layout (`$NVM_DIR` is `~/.nvm`), this can create or overwrite files in the user's home directory, including shell startup files, which can lead to code execution in a later shell session. Exploitation requires the victim to use a hostile mirror -- via a compromised mirror or CDN, a network man-in-the-middle, or a maliciously configured `NVM_NODEJS_ORG_MIRROR`/`NVM_IOJS_ORG_MIRROR` -- and to run an affected command. Version 0.40.6 validates remote LTS codenames as safe alias filenames and rejects `..` path components when writing alias files.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Node Version Manager (nvm) versions 0.32.1 through 0.40.5. It allows a malicious mirror to write files outside the intended directory by using path-traversal sequences in LTS codenames. For example, an LTS codename like ../../../.bashrc could cause nvm to write version strings to unintended locations, including the user's home directory.

Impact Analysis

This vulnerability could allow an attacker to overwrite critical files in your home directory, such as shell startup files like .bashrc or .zshrc. If exploited, it may lead to arbitrary code execution when you start a new shell session, potentially compromising your system or user account.

Detection Guidance

Check if you are using nvm versions between 0.32.1 and 0.40.5. Run 'nvm --version' to verify. Inspect files in ~/.nvm/alias for unexpected paths or modifications. Review shell startup files like ~/.bashrc, ~/.zshrc for suspicious changes.

Mitigation Strategies

Upgrade nvm to version 0.40.6 or later immediately. Avoid using untrusted mirrors by setting NVM_NODEJS_ORG_MIRROR to a verified source. Remove any suspicious files in your home directory or ~/.nvm/alias.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15921. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart