PT-2026-60310 · Nvm Sh · Nvm

Jordan Harband

+1

·

Publicado

2026-07-15

·

Atualizado

2026-07-15

·

CVE-2026-15921

CVSS v3.1

3.1

Baixa

VetorAV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Node Version Manager (nvm) is a POSIX-compliant shell function for managing multiple node.js versions. In versions 0.32.1 through 0.40.5, nvm ls-remote (and other commands that refresh remote LTS aliases, such as nvm install --lts) parse the node.js mirror's index.tab and use each release's LTS codename field as an alias filename without validating it. A malicious, compromised, or man-in-the-middled mirror can return an LTS codename containing path-traversal sequences such as ../../../.bashrc, causing nvm to write the associated version string to a path outside $NVM DIR/alias. With the default layout ($NVM DIR is ~/.nvm), this can create or overwrite files in the user's home directory, including shell startup files, which can lead to code execution in a later shell session. Exploitation requires the victim to use a hostile mirror -- via a compromised mirror or CDN, a network man-in-the-middle, or a maliciously configured NVM NODEJS ORG MIRROR/NVM IOJS ORG MIRROR -- and to run an affected command. Version 0.40.6 validates remote LTS codenames as safe alias filenames and rejects .. path components when writing alias files.

Correção

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-15921

Produtos afetados

Nvm