{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1665", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-01-29T21:25:18.405Z", "datePublished": "2026-01-29T23:04:05.741Z", "dateUpdated": "2026-01-30T18:27:52.134Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "nvm", "vendor": "nvm-sh", "versions": [{"lessThanOrEqual": "0.40.3", "status": "affected", "version": "0.40.0", "versionType": "semver"}, {"status": "unaffected", "version": "0.40.4", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jiyong Yang (sy2n0@naver.com)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'.</p>"}], "value": "A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'."}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}, {"capecId": "CAPEC-6", "descriptions": [{"lang": "en", "value": "CAPEC-6 Argument Injection"}]}], "metrics": [{"cvssV4_0": {"attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 5.4, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-95", "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-01-29T23:06:47.873Z"}, "references": [{"name": "Fix commit", "tags": ["patch"], "url": "https://github.com/nvm-sh/nvm/commit/44e2590cdf257faf7d885e4470be8dc66cec9506"}, {"name": "Release v0.40.4", "tags": ["release-notes"], "url": "https://github.com/nvm-sh/nvm/releases/tag/v0.40.4"}, {"name": "nvm GitHub repository", "tags": ["product"], "url": "https://github.com/nvm-sh/nvm"}, {"tags": ["x_introduced"], "url": "https://github.com/nvm-sh/nvm/pull/3380"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Upgrade to nvm version 0.40.4 or later, which sanitizes NVM_AUTH_HEADER in the wget code path using nvm_sanitize_auth_header().</p>"}], "value": "Upgrade to nvm version 0.40.4 or later, which sanitizes NVM_AUTH_HEADER in the wget code path using nvm_sanitize_auth_header()."}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2026-01-09T00:00:00.000Z", "value": "Fix committed"}, {"lang": "en", "time": "2026-01-29T00:00:00.000Z", "value": "v0.40.4 released"}], "title": "Command Injection in nvm via NVM_AUTH_HEADER in wget code path"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-30T18:27:21.196460Z", "id": "CVE-2026-1665", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T18:27:52.134Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1665", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-30T18:27:21.196460Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T18:27:41.029Z"}}], "cna": {"title": "Command Injection in nvm via NVM_AUTH_HEADER in wget code path", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Jiyong Yang (sy2n0@naver.com)"}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}, {"capecId": "CAPEC-6", "descriptions": [{"lang": "en", "value": "CAPEC-6 Argument Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 5.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "nvm-sh", "product": "nvm", "versions": [{"status": "affected", "version": "0.40.0", "versionType": "semver", "lessThanOrEqual": "0.40.3"}, {"status": "unaffected", "version": "0.40.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-09T00:00:00.000Z", "value": "Fix committed"}, {"lang": "en", "time": "2026-01-29T00:00:00.000Z", "value": "v0.40.4 released"}], "solutions": [{"lang": "en", "value": "Upgrade to nvm version 0.40.4 or later, which sanitizes NVM_AUTH_HEADER in the wget code path using nvm_sanitize_auth_header().", "supportingMedia": [{"type": "text/html", "value": "<p>Upgrade to nvm version 0.40.4 or later, which sanitizes NVM_AUTH_HEADER in the wget code path using nvm_sanitize_auth_header().</p>", "base64": false}]}], "references": [{"url": "https://github.com/nvm-sh/nvm/commit/44e2590cdf257faf7d885e4470be8dc66cec9506", "name": "Fix commit", "tags": ["patch"]}, {"url": "https://github.com/nvm-sh/nvm/releases/tag/v0.40.4", "name": "Release v0.40.4", "tags": ["release-notes"]}, {"url": "https://github.com/nvm-sh/nvm", "name": "nvm GitHub repository", "tags": ["product"]}, {"url": "https://github.com/nvm-sh/nvm/pull/3380", "tags": ["x_introduced"]}], "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'.", "supportingMedia": [{"type": "text/html", "value": "<p>A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-95", "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"}]}], "providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-01-29T23:06:47.873Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1665", "state": "PUBLISHED", "dateUpdated": "2026-01-30T18:27:52.134Z", "dateReserved": "2026-01-29T21:25:18.405Z", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "datePublished": "2026-01-29T23:04:05.741Z", "assignerShortName": "openjs"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n de comandos existe en nvm (Node Version Manager) versiones 0.40.3 e inferiores. La funci\u00f3n nvm_download() utiliza eval para ejecutar comandos wget, y la variable de entorno NVM_AUTH_HEADER no fue saneada en la ruta de c\u00f3digo de wget (aunque s\u00ed fue saneada en la ruta de c\u00f3digo de curl). Un atacante que puede establecer variables de entorno en el entorno de shell de una v\u00edctima (por ejemplo, a trav\u00e9s de configuraciones maliciosas de CI/CD, dotfiles comprometidos o im\u00e1genes de Docker) puede inyectar comandos de shell arbitrarios que se ejecutan cuando la v\u00edctima ejecuta comandos nvm que activan descargas, como 'nvm install' o 'nvm ls-remote'."}], "id": "CVE-2026-1665", "lastModified": "2026-02-04T16:34:21.763", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}, "published": "2026-01-29T23:16:11.707", "references": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://github.com/nvm-sh/nvm"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://github.com/nvm-sh/nvm/commit/44e2590cdf257faf7d885e4470be8dc66cec9506"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://github.com/nvm-sh/nvm/pull/3380"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://github.com/nvm-sh/nvm/releases/tag/v0.40.4"}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-95"}], "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}

{}