Command Injection in nvm via NVM_AUTH_HEADER in wget code path
A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'.
References
- Fix commit patch
- Release v0.40.4 release-notes
- nvm GitHub repository product
- https://github.com/nvm-sh/nvm/pull/3380 x_introduced
- Fix commit patch
- Release v0.40.4 release-notes
- nvm GitHub repository product
- https://github.com/nvm-sh/nvm/pull/3380 x_introduced
Affected products
- =<0.40.3
- ==0.40.4
Matching in nixpkgs
pkgs.convmv
Converts filenames from one encoding to another
pkgs.krunvm
CLI-based utility for creating microVMs from OCI images
pkgs.libnvme
C Library for NVM Express on Linux
pkgs.nvme-rs
Lightweight tool for monitoring NVMe drive health with email alerts
pkgs.openvmm
modular, cross-platform Virtual Machine Monitor (VMM), written in Rust
-
nixos-unstable 0-unstable-2025-03-13
- nixpkgs-unstable 0-unstable-2025-03-13
- nixos-unstable-small 0-unstable-2025-03-13
pkgs.nvme-cli
NVM-Express user space tooling for Linux
pkgs.nvmetcfg
NVMe-oF Target Configuration Utility for Linux
pkgs.crc64fast-nvme
SIMD accelerated carryless-multiplication CRC-64/NVME checksum computation (based on Intel's PCLMULQDQ paper)
pkgs.fishPlugins.nvm
The Node.js version manager you'll adore, crafted just for Fish
pkgs.python312Packages.pynvml
Unofficial Python bindings for the NVIDIA Management Library
pkgs.python313Packages.pynvml
Unofficial Python bindings for the NVIDIA Management Library
pkgs.python312Packages.py3nvml
Python 3 Bindings for the NVIDIA Management Library
-
nixos-unstable py3nvml-0.2.7
- nixpkgs-unstable py3nvml-0.2.7
- nixos-unstable-small py3nvml-0.2.7
pkgs.python313Packages.py3nvml
Python 3 Bindings for the NVIDIA Management Library
-
nixos-unstable py3nvml-0.2.7
- nixpkgs-unstable py3nvml-0.2.7
- nixos-unstable-small py3nvml-0.2.7
pkgs.cudaPackages.cuda_nvml_dev
CUDA NVML Headers. By downloading and using the packages you accept the terms and conditions of the CUDA EULA
pkgs.cudaPackages_11.cuda_nvml_dev
CUDA NVML Headers. By downloading and using the packages you accept the terms and conditions of the CUDA EULA
Package maintainers
-
@al3xtjames Alex James <nix@alextjam.es>
-
@prusnak Pavol Rusnak <pavol@rusnak.io>
-
@ConnorBaker Connor Baker <ConnorBaker01@gmail.com>
-
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>
-
@SomeoneSerge Else Someone <else+nixpkgs@someonex.net>
-
@samuela Samuel Ainsworth <skainsworth@gmail.com>
-
@pta2002 Pedro Alves <pta2002@pta2002.com>
-
@NickCao Nick Cao <nickcao@nichi.co>
-
@vifino Adrian Pistol <vifino@tty.sh>
-
@Mic92 Jörg Thalheim <joerg@thalheim.io>
-
@liberodark liberodark <liberodark@gmail.com>
-
@Hoverbear Ana Hobden <operator+nix@hoverbear.org>
-
@astro Astro <astro@spaceboyz.net>
-
@happysalada Raphael Megzari <raphael@megzari.com>
-
@bcdarwin Ben Darwin <bcdarwin@gmail.com>
-
@powwu powwu <hello@powwu.sh>