Skip to main content

nvm EUVDEUVD-2026-34303

| CVE-2026-10796 HIGH
OS Command Injection (CWE-78)
2026-06-04 openjs
7.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 04, 2026 - 18:03 vuln.today
Analysis Generated
Jun 04, 2026 - 18:03 vuln.today
CVE Published
Jun 04, 2026 - 17:02 nvd
HIGH 7.5

DescriptionCVE.org

nvm (Node Version Manager) through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as nvm install read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs and shell/awk commands. Two sinks are affected by the same untrusted input: nvm_download() built a curl/wget command string and ran it with eval, so a version field containing command substitution (for example $(id)) was executed by the local shell; and nvm_get_checksum() interpolated the version-derived download slug into an awk program, so a crafted version could execute arbitrary commands via awk's system(). An attacker who controls the configured mirror, supplies mirror content to a user or CI on a non-default mirror, or machine-in-the-middles a non-TLS mirror can ∴ run arbitrary commands with the privileges of the user running nvm. The default mirror (https://nodejs.org over TLS) is not affected. Fixed on master (pending the next tagged release) by passing every argument as a literal argv element instead of using eval, by passing the value to awk as data via -v instead of interpolating it into the program, and by rejecting any version outside the Node.js/io.js version grammar before it is used.

AnalysisAI

Command injection in nvm (Node Version Manager) versions through 0.40.4 allows attackers controlling the configured Node.js/io.js mirror to execute arbitrary shell commands as the user running nvm. Mirror-supplied version strings flow unsanitized into an eval'd curl/wget invocation in nvm_download() and into an awk program in nvm_get_checksum(), enabling injection via constructs like $(id). No public exploit is identified at time of analysis, but the GitHub Security Advisory (GHSA-3c52-35h2-gfmm) and committed regression tests demonstrate the bug class, and CVSS 7.5 (AV:N/AC:H/PR:N/UI:R) reflects that the default TLS-protected nodejs.org mirror is unaffected.

Technical ContextAI

nvm is a POSIX-shell installer/version-manager for Node.js distributed as nvm.sh. The vulnerability is CWE-78 (OS Command Injection) arising from two sinks that share the same untrusted input - version identifiers parsed from a mirror's index.tab. In nvm_download(), arguments were concatenated into a string and executed with eval curl … / eval wget $ARGS, so any shell metacharacter or $(…) in a download URL derived from the version was re-parsed by the shell. In nvm_get_checksum(), the version-derived slug was interpolated directly into an awk program, where awk's system() call could be reached by a crafted version. The affected CPE is cpe:2.3:a:nvm-sh:nvm:* up to 0.40.4.

RemediationAI

Upstream fix available (commits 6d870d182cd5333647ffa16c0d7dbcd817ec27a8, 90bb88748ba6c29c2cec73b18ed7057413aef308, and 70fb4ede6b9731d75d86451d48caa5faffbec21c on master); a released patched version is not independently confirmed at time of analysis, so users should track the next tagged release after 0.40.4 from https://github.com/nvm-sh/nvm/security/advisories/GHSA-3c52-35h2-gfmm or build from master. Until a tagged release is available, unset any custom NVM_NODEJS_ORG_MIRROR/NVM_IOJS_ORG_MIRROR configuration and rely on the default https://nodejs.org mirror - the trade-off is loss of internal-mirror caching and any air-gapped workflows. If a custom mirror is mandatory, enforce HTTPS to the mirror to remove the MitM vector and restrict the mirror to a trusted, integrity-checked source, accepting that a compromised mirror operator can still inject commands until the patch is applied. Do not run nvm install, nvm ls-remote, or related commands against untrusted mirror URLs.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

EUVD-2026-34303 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy