PT-2026-60310 · Nvm Sh · Nvm

Jordan Harband

+1

·

Published

2026-07-15

·

Updated

2026-07-15

·

CVE-2026-15921

CVSS v3.1

3.1

Low

VectorAV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Node Version Manager (nvm) is a POSIX-compliant shell function for managing multiple node.js versions. In versions 0.32.1 through 0.40.5, nvm ls-remote (and other commands that refresh remote LTS aliases, such as nvm install --lts) parse the node.js mirror's index.tab and use each release's LTS codename field as an alias filename without validating it. A malicious, compromised, or man-in-the-middled mirror can return an LTS codename containing path-traversal sequences such as ../../../.bashrc, causing nvm to write the associated version string to a path outside $NVM DIR/alias. With the default layout ($NVM DIR is ~/.nvm), this can create or overwrite files in the user's home directory, including shell startup files, which can lead to code execution in a later shell session. Exploitation requires the victim to use a hostile mirror -- via a compromised mirror or CDN, a network man-in-the-middle, or a maliciously configured NVM NODEJS ORG MIRROR/NVM IOJS ORG MIRROR -- and to run an affected command. Version 0.40.6 validates remote LTS codenames as safe alias filenames and rejects .. path components when writing alias files.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-15921

Affected Products

Nvm