CVE-2026-10796: nvm Command Injection via Mirror Version Strings
nvm (Node Version Manager) versions through 0.40.4 contain a command injection vulnerability in how they process version strings retrieved from configured Node.js mirrors. When you run commands like `nvm install`, the tool fetches available versions from a mirror's index and builds download URLs and shell commands using the version string without proper sanitization. An attacker controlling the mirror, intercepting unencrypted mirror traffic, or providing malicious mirror content can inject arbitrary commands that execute with the privileges of the user running nvm. The official default mirror (nodejs.org over HTTPS) is not affected, but users relying on alternative mirrors or unencrypted connections face significant risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-78
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
nvm (Node Version Manager) through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as `nvm install` read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs and shell/awk commands. Two sinks are affected by the same untrusted input: nvm_download() built a curl/wget command string and ran it with `eval`, so a version field containing command substitution (for example $(id)) was executed by the local shell; and nvm_get_checksum() interpolated the version-derived download slug into an awk program, so a crafted version could execute arbitrary commands via awk's system(). An attacker who controls the configured mirror, supplies mirror content to a user or CI on a non-default mirror, or machine-in-the-middles a non-TLS mirror can ∴ run arbitrary commands with the privileges of the user running nvm. The default mirror (https://nodejs.org over TLS) is not affected. Fixed on master (pending the next tagged release) by passing every argument as a literal argv element instead of using eval, by passing the value to awk as data via -v instead of interpolating it into the program, and by rejecting any version outside the Node.js/io.js version grammar before it is used.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from two distinct code paths in nvm that process untrusted version strings from mirror metadata. The nvm_download() function constructs curl or wget commands by directly interpolating version strings into a shell command, then executing it via eval—allowing command substitution syntax like $(id) to be interpreted by the shell. Separately, nvm_get_checksum() passes the version string directly into an awk program via string interpolation, enabling arbitrary code execution through awk's system() function. Both attack vectors require the version string to pass through the mirror's index.tab file without validation. The fixes applied to the master branch replace eval-based execution with safe argv passing, pass version data to awk as a -v variable instead of interpolating it into the program, and add grammar validation to reject malformed version strings before use.
Business impact
For organizations and developers using nvm with non-default mirrors, CI/CD pipelines configured to pull from custom mirror sources, or environments on networks where mirror traffic is unencrypted, this vulnerability allows complete command execution under the invoking user's identity. This could lead to source code theft, build artifact tampering, credential exfiltration from CI environments, lateral movement within networks, or supply chain poisoning if compromised builds are distributed. Teams using the official nodejs.org mirror over HTTPS are not at risk. However, the ease of exploitation and the breadth of potential impact in development and CI workflows elevates business risk for affected deployments.
Affected systems
nvm (Node Version Manager) through version 0.40.4 as distributed by the OpenJS Foundation is affected. Any system using nvm to install or manage Node.js versions is potentially vulnerable if: (1) it is configured to use a non-default mirror, (2) the mirror connection is not over HTTPS, or (3) the user's network is subject to man-in-the-middle attacks. The default mirror configuration (https://nodejs.org) mitigates the risk for standard deployments. Users on versions 0.40.4 and earlier should prioritize upgrading.
Exploitability
Exploitability is moderate in real-world scenarios despite the technical simplicity. An attacker must either control the mirror server, intercept unencrypted mirror traffic, or convince a user to explicitly configure a malicious mirror. The CVSS score of 7.5 (HIGH) reflects the high impact (confidentiality, integrity, availability) balanced against the requirement for network-level access (AV:N/AC:H) and user interaction in some scenarios (UI:R). The vulnerability is not in the CISA Known Exploited Vulnerabilities catalog, but the attack surface widens significantly in CI/CD environments where mirror configurations may be centralized and automation reduces friction.
Remediation
Upgrade nvm to a version incorporating the security fixes from the master branch once a tagged release becomes available. Verify the updated version against the OpenJS Foundation's official release channels. In the interim, immediately audit your nvm configuration: confirm you are using the default https://nodejs.org mirror, or if you are using a custom mirror, verify it is accessed over HTTPS with valid certificates and is controlled by a trusted entity. Disable or restrict access to non-default mirrors in shared CI/CD environments. Consider enforcing mirror configuration via centralized tooling to prevent user misconfiguration.
Patch guidance
Monitor the nvm GitHub repository and OpenJS Foundation release notes for the next tagged release that incorporates the master branch fixes. Once released, upgrade by pulling the latest version using your current nvm installation method (typically via the installation script or package manager). Verify the upgrade completed by running `nvm --version` and confirming the version number has incremented. For CI/CD environments, update base images and automated provisioning scripts to use the patched version. Test node installation workflows in a non-production environment before deploying to production pipelines. Coordinate timing with your development and infrastructure teams to minimize disruption.
Detection guidance
Monitor command execution logs on systems running nvm for suspicious shell escapes or unusual awk invocations that correlate with `nvm install` or related version-management commands. If you use a custom mirror, audit its access logs and index.tab file for unexpected version strings containing shell metacharacters ($(), ``, |, ;) or awk commands (system(), etc.). In CI/CD platforms, monitor build logs for unexpected commands executed during the version installation phase. Network-level detection is limited unless you inspect unencrypted mirror traffic; if you are using a non-HTTPS mirror, this is a strong indicator of potential exposure and should trigger immediate investigation.
Why prioritize this
Although nvm is not yet in the CISA KEV catalog, this vulnerability merits immediate prioritization for organizations using non-default mirrors or CI/CD automation. The ease of exploitation once an attacker gains mirror access, the critical nature of the nvm tool in development workflows, and the potential for supply chain impact justify urgent patching. The HIGH CVSS score and the breadth of affected deployment scenarios—particularly in containerized and automated build environments—compound the risk. Prioritize patching for any nvm installations in CI/CD pipelines and shared development infrastructure first, followed by individual developer workstations.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) balances high impact across confidentiality, integrity, and availability with moderate attack complexity and network-level access requirements. The vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R reflects that an attacker needs network access but faces high complexity in exploiting most users (due to default-mirror protection), and successful exploitation in some scenarios requires user interaction (selecting a non-default mirror or accepting a man-in-the-middle scenario). However, the impact once achieved is severe—arbitrary command execution—warranting the HIGH rating. In CI/CD and automated scenarios where mirror configuration is centralized and attacker motivation is high, the practical exploitability is higher than the score suggests.
Frequently asked questions
Is my nvm installation at risk if I use the official nodejs.org mirror?
No. The default mirror configuration pointing to https://nodejs.org over TLS is not affected by this vulnerability. The security fixes are preventive; the official mirror was never compromised and does not serve malicious version strings. If you have not changed your mirror configuration, you are safe. Verify by running `nvm get-mirror` or checking your `.nvmrc` or shell profile for mirror settings.
We use a custom internal mirror for Node.js versions. What should we do immediately?
Audit your mirror connection: confirm it is served over HTTPS with a valid certificate. Review your index.tab file for any unexpected or suspicious version strings, particularly those containing shell metacharacters or awk commands. If your mirror is over HTTP, treat it as a critical security incident and migrate to HTTPS immediately, or use the official mirror as a fallback. Additionally, upgrade nvm to a patched version as soon as one is released.
How can we prevent users from configuring non-default or malicious mirrors?
In centralized environments like CI/CD, enforce mirror configuration via environment variables or configuration files that are read-only or managed by infrastructure teams. Use container images with nvm pre-configured to the trusted mirror. For developer workstations, provide documentation and tooling guidance, but recognize that individual configuration may be harder to enforce. The best defense is rapid patching combined with clear communication about using only official mirrors.
Does this vulnerability affect Node.js itself or only nvm?
This vulnerability is specific to nvm, the version manager tool. Node.js itself is not affected. However, because nvm is commonly used to install and manage Node.js versions, any compromise of nvm execution can indirectly compromise the Node.js environment and projects. The vulnerability does not require the Node.js binary to be malicious; rather, malicious commands injected into nvm's execution context can affect the entire development or CI workflow.
This analysis is provided for informational and educational purposes. SEC.co makes no warranty regarding the completeness or accuracy of vulnerability details and patch versions. Organizations should verify all patch information directly with the OpenJS Foundation's official releases and adapt guidance to their specific deployment configurations. Exploit code or weaponized proof-of-concepts are not provided. Always test security updates in non-production environments before deployment. Risk assessments are indicative; individual environments may face higher or lower actual risk depending on network architecture, access controls, and mirror configurations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-41265HIGHWaterfall WF-500 TX Host OS Command Injection (CVSS 7.2)
- CVE-2025-41266HIGHWaterfall WF-500 TX Host Command Injection Vulnerability Analysis
- CVE-2025-41267HIGHWaterfall WF-500 TX Host Command Injection Vulnerability
- CVE-2025-41279HIGHOS Command Injection in Waterfall WF-500 RX Host Administration WebUI
- CVE-2025-41281HIGHWaterfall WF-500 OS Command Injection
- CVE-2025-69755HIGHNeterbit NW-431F Router RCE and Data Exposure Vulnerability
- CVE-2026-10214HIGHCommand Injection in chatgpt-on-wechat Bash Tool
- CVE-2026-10219HIGHGoClaw Command Injection Vulnerability