CVE-2026-10796

HIGH EPSS 36.8%
Published Jun 4, 20263w ago · Modified Jun 17, 20261w ago
7.5 CVSS 4.0
High
Find Similar
Published Jun 4, 2026 3w ago
Last Modified Jun 17, 2026 1w ago

Description

nvm (Node Version Manager) through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as `nvm install` read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs and shell/awk commands. Two sinks are affected by the same untrusted input: nvm_download() built a curl/wget command string and ran it with `eval`, so a version field containing command substitution (for example $(id)) was executed by the local shell; and nvm_get_checksum() interpolated the version-derived download slug into an awk program, so a crafted version could execute arbitrary commands via awk's system(). An attacker who controls the configured mirror, supplies mirror content to a user or CI on a non-default mirror, or machine-in-the-middles a non-TLS mirror can ∴ run arbitrary commands with the privileges of the user running nvm. The default mirror (https://nodejs.org over TLS) is not affected. Fixed on master (pending the next tagged release) by passing every argument as a literal argv element instead of using eval, by passing the value to awk as data via -v instead of interpolating it into the program, and by rejecting any version outside the Node.js/io.js version grammar before it is used.

CVSS Details

Base Score
7.5
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction A
Scope X

Threat Intelligence

EPSS Exploit Probability
36.8% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-78 OS Command Injection Injection

Affected Products 1

VendorProductVersionRange
openjsfnode_version_manager* <0.40.5

References 4

  • github.com https://github.com/nvm-sh/nvm/commit/6d870d182cd5333647ffa16c0d7dbcd817ec27a8
    Patch
  • github.com https://github.com/nvm-sh/nvm/commit/70fb4ede6b9731d75d86451d48caa5faffbec21c
    Patch
  • github.com https://github.com/nvm-sh/nvm/commit/90bb88748ba6c29c2cec73b18ed7057413aef308
    Patch
  • github.com https://github.com/nvm-sh/nvm/security/advisories/GHSA-3c52-35h2-gfmm
    ExploitMitigationPatchVendor Advisory

Remediation

  • github.com https://github.com/nvm-sh/nvm/commit/6d870d182cd5333647ffa16c0d7dbcd817ec27a8
    Patch
  • github.com https://github.com/nvm-sh/nvm/commit/70fb4ede6b9731d75d86451d48caa5faffbec21c
    Patch
  • github.com https://github.com/nvm-sh/nvm/commit/90bb88748ba6c29c2cec73b18ed7057413aef308
    Patch
  • github.com https://github.com/nvm-sh/nvm/security/advisories/GHSA-3c52-35h2-gfmm
    ExploitMitigationPatchVendor Advisory