CVE-2026-1665 is a medium-severity OS command injection vulnerability affecting nvm (Node Version Manager) versions 0.40.3 and earlier. The root cause lies in the nvm_download() function, which uses the eval command to execute wget commands for downloading Node.js versions or related resources. While the curl code path sanitizes the NVM_AUTH_HEADER environment variable, the wget code path does not, allowing an attacker who can set environment variables in the victim's shell environment to inject arbitrary shell commands. This can occur if an attacker compromises CI/CD configurations, dotfiles, or Docker images that set or influence environment variables. When the victim runs nvm commands that trigger downloads (e.g., 'nvm install' or 'nvm ls-remote'), the injected commands execute with the victim's privileges. The vulnerability requires local access with low privileges and user interaction, as the victim must run the affected nvm commands. The CVSS 4.0 vector indicates local attack vector, low attack complexity, partial privileges required, partial user interaction, and high impact on confidentiality, integrity, and availability. No patches or exploits are currently reported, but the vulnerability poses a risk in development environments where nvm is widely used. The use of eval in shell scripts combined with unsanitized environment variables is a classic injection flaw, emphasizing the need for strict input validation and avoidance of eval where possible.

For European organizations, this vulnerability primarily threatens development, testing, and CI/CD environments where nvm is used to manage Node.js versions. Successful exploitation can lead to arbitrary command execution under the victim user's context, potentially allowing attackers to exfiltrate sensitive data, modify source code, implant backdoors, or disrupt build pipelines. This can compromise the integrity of software supply chains and lead to broader network compromise if attackers pivot from compromised developer machines or build servers. Confidentiality is at risk due to possible data leakage, integrity due to unauthorized code or configuration changes, and availability due to potential disruption of development workflows. Organizations relying on automated pipelines or shared development environments are particularly vulnerable. The requirement for local access and user interaction limits remote exploitation but does not eliminate risk, especially in environments with shared or containerized developer setups. The absence of known exploits reduces immediate threat but does not preclude targeted attacks or future exploitation.

European organizations should immediately audit their use of nvm and identify instances running version 0.40.3 or below. Until an official patch is released, mitigation includes avoiding the use of nvm commands that trigger downloads (e.g., 'nvm install', 'nvm ls-remote') in untrusted or compromised environments. Organizations should sanitize or restrict environment variables, especially NVM_AUTH_HEADER, in CI/CD pipelines, Docker images, and developer shells to prevent injection. Implement strict controls on who can modify environment variables and configuration files like dotfiles. Consider using container image scanning and CI/CD pipeline security tools to detect malicious environment variable manipulations. Where possible, replace wget usage with safer alternatives or patch the nvm source code to sanitize inputs or avoid eval usage. Educate developers and DevOps teams about the risks of environment variable injection and the importance of secure configuration management. Monitor logs for suspicious nvm command executions and anomalous environment variable settings. Finally, track vendor updates for official patches and apply them promptly.