Skip to main content

Nvm

1 CVEs product

Monthly

CVE-2026-15921 LOW PATCH Monitor

Path traversal in nvm versions 0.32.1 through 0.40.5 allows a hostile Node.js mirror to overwrite arbitrary files in the victim's home directory, including shell startup files, leading to code execution on the next shell session. The vulnerability exists in `nvm ls-remote`, `nvm install --lts`, and any other nvm command that refreshes remote LTS aliases by fetching and parsing a mirror's `index.tab` - the LTS codename field is used as an alias filename without sanitization, permitting sequences like `../../../.bashrc` to escape `$NVM_DIR/alias`. No public exploit identified at time of analysis, but a working proof-of-concept is embedded in the upstream test suite added in the fix commit.

Node.js Path Traversal RCE Nvm
NVD GitHub
CVSS 4.0
2.1
EPSS
0.2%
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Path traversal in nvm versions 0.32.1 through 0.40.5 allows a hostile Node.js mirror to overwrite arbitrary files in the victim's home directory, including shell startup files, leading to code execution on the next shell session. The vulnerability exists in `nvm ls-remote`, `nvm install --lts`, and any other nvm command that refreshes remote LTS aliases by fetching and parsing a mirror's `index.tab` - the LTS codename field is used as an alias filename without sanitization, permitting sequences like `../../../.bashrc` to escape `$NVM_DIR/alias`. No public exploit identified at time of analysis, but a working proof-of-concept is embedded in the upstream test suite added in the fix commit.

Node.js Path Traversal RCE +1
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy