CVE-2026-45772
published 2026-05-15CVE-2026-45772: Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.39%
30.4th percentile
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed yarn --version from the project directory, which could cause Yarn to load and execute a project-controlled yarnPath from .yarnrc.yml. An attacker who controls repository contents could cause code execution when a user or CI system runs affected turbo, @turbo/codemod, or @turbo/workspace conversion commands. This vulnerability is fixed in 2.9.14.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| turbo | codemod | — | — |
| turbo | codemod | >= 2.3.4 < 2.9.14 | 2.9.14 |
| turbo | workspaces | — | — |
| turbo | workspaces | >= 2.3.4 < 2.9.14 | 2.9.14 |
| vercel | turborepo | — | — |
| vercel | turborepo | >= 1.1.0 < 2.9.14 | 2.9.14 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.00.0NONECVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Turbo: Unexpected local code execution during Yarn Berry detection
ghsa·2026-05-19
CVE-2026-45772 [LOW] CWE-426 Turbo: Unexpected local code execution during Yarn Berry detection
Turbo: Unexpected local code execution during Yarn Berry detection
### Impact
Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed `yarn --version` from the project directory, which could cause Yarn to load and execute a project-controlled `yarnPath` from `.yarnrc.yml`. An attacker who controls repository contents could cause code execution when a user or CI system runs affected `turbo`, `@turbo/codemod`, or `@turbo/workspace` conversion commands.
### Fix
Turbo now avoids executing project-local Yarn during package manager detection. Yarn versions and paths are inferred from metadata such as `package.json`, parsing the value of `yarnPath` in `.yarnrc
VulDB
vercel turborepo/codemod/workspaces up to 2.9.13 untrusted search path
vuldb·2026-05-15
CVE-2026-45772 [NONE] vercel turborepo/codemod/workspaces up to 2.9.13 untrusted search path
A vulnerability was found in vercel turborepo, codemod and workspaces up to 2.9.13. It has been rated as problematic. Affected by this issue is some unknown functionality. This manipulation causes untrusted search path.
The identification of this vulnerability is CVE-2026-45772. The attack can only be executed locally. There is no exploit available.
Upgrading the affected component is advised.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-15
Published