PT-2026-60310 · Nvm Sh · Nvm
Jordan Harband
+1
·
Publicado
2026-07-15
·
Atualizado
2026-07-15
·
CVE-2026-15921
CVSS v3.1
3.1
Baixa
| Vetor | AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N |
Node Version Manager (nvm) is a POSIX-compliant shell function for managing multiple node.js versions. In versions 0.32.1 through 0.40.5,
nvm ls-remote (and other commands that refresh remote LTS aliases, such as nvm install --lts) parse the node.js mirror's index.tab and use each release's LTS codename field as an alias filename without validating it. A malicious, compromised, or man-in-the-middled mirror can return an LTS codename containing path-traversal sequences such as ../../../.bashrc, causing nvm to write the associated version string to a path outside $NVM DIR/alias. With the default layout ($NVM DIR is ~/.nvm), this can create or overwrite files in the user's home directory, including shell startup files, which can lead to code execution in a later shell session. Exploitation requires the victim to use a hostile mirror -- via a compromised mirror or CDN, a network man-in-the-middle, or a maliciously configured NVM NODEJS ORG MIRROR/NVM IOJS ORG MIRROR -- and to run an affected command. Version 0.40.6 validates remote LTS codenames as safe alias filenames and rejects .. path components when writing alias files.Correção
Path traversal
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Nvm