CVE-2026-15921 PUBLISHED

nvm path traversal via a malicious mirror's LTS codename writes outside the alias directory

Assigner: harborist
Reserved: 15.07.2026 Published: 15.07.2026 Updated: 16.07.2026

Node Version Manager (nvm) is a POSIX-compliant shell function for managing multiple node.js versions. In versions 0.32.1 through 0.40.5, nvm ls-remote (and other commands that refresh remote LTS aliases, such as nvm install --lts) parse the node.js mirror's index.tab and use each release's LTS codename field as an alias filename without validating it. A malicious, compromised, or man-in-the-middled mirror can return an LTS codename containing path-traversal sequences such as ../../../.bashrc, causing nvm to write the associated version string to a path outside $NVM_DIR/alias. With the default layout ($NVM_DIR is ~/.nvm), this can create or overwrite files in the user's home directory, including shell startup files, which can lead to code execution in a later shell session. Exploitation requires the victim to use a hostile mirror -- via a compromised mirror or CDN, a network man-in-the-middle, or a maliciously configured NVM_NODEJS_ORG_MIRROR/NVM_IOJS_ORG_MIRROR -- and to run an affected command. Version 0.40.6 validates remote LTS codenames as safe alias filenames and rejects .. path components when writing alias files.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 2.1

Product Status

Vendor nvm-sh
Product nvm
Versions Default: unaffected
  • affected from 0.32.1 to 0.40.6 (excl.)

Workarounds

Until upgrading, only run nvm ls-remote and LTS-refreshing commands against trusted mirrors over TLS, and ensure NVM_NODEJS_ORG_MIRROR and NVM_IOJS_ORG_MIRROR point only at trusted endpoints.

Solutions

Upgrade to nvm 0.40.6 or later, which validates remote LTS codenames and rejects .. path components when writing alias files. (Only needed if using a non-default mirror whose metadata contents you do not trust).

Credits

  • Sy2n0 (https://github.com/Sy2n0) finder
  • Jordan Harband (https://github.com/ljharb) remediation developer

References

Problem Types

  • CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE
  • CWE-73 External Control of File Name or Path CWE