Node Version Manager (nvm) is a POSIX-compliant shell function for managing multiple node.js versions. In versions 0.32.1 through 0.40.5, nvm ls-remote (and other commands that refresh remote LTS aliases, such as nvm install --lts) parse the node.js mirror's index.tab and use each release's LTS codename field as an alias filename without validating it. A malicious, compromised, or man-in-the-middled mirror can return an LTS codename containing path-traversal sequences such as ../../../.bashrc, causing nvm to write the associated version string to a path outside $NVM_DIR/alias. With the default layout ($NVM_DIR is ~/.nvm), this can create or overwrite files in the user's home directory, including shell startup files, which can lead to code execution in a later shell session. Exploitation requires the victim to use a hostile mirror -- via a compromised mirror or CDN, a network man-in-the-middle, or a maliciously configured NVM_NODEJS_ORG_MIRROR/NVM_IOJS_ORG_MIRROR -- and to run an affected command. Version 0.40.6 validates remote LTS codenames as safe alias filenames and rejects .. path components when writing alias files.
Until upgrading, only run nvm ls-remote and LTS-refreshing commands against trusted mirrors over TLS, and ensure NVM_NODEJS_ORG_MIRROR and NVM_IOJS_ORG_MIRROR point only at trusted endpoints.
Upgrade to nvm 0.40.6 or later, which validates remote LTS codenames and rejects .. path components when writing alias files. (Only needed if using a non-default mirror whose metadata contents you do not trust).