Skip to main content

Turborepo CVE-2026-45773

| EUVDEUVD-2026-30553 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-15 GitHub_M GHSA-hcf7-66rw-9f5r
5.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
May 15, 2026 - 17:01 EUVD
Analysis Generated
May 15, 2026 - 16:31 vuln.today
CVSS changed
May 15, 2026 - 16:22 NVD
5.1 (MEDIUM)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on turbo (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.9.14.

DescriptionGitHub Advisory

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the legitimate callback, the CLI could complete login with the wrong credentials. This affects users authenticating the turbo CLI against self-hosted remote cache/auth endpoints. Vercel-hosted login flows using device authorization are not affected. This vulnerability is fixed in 2.9.14.

AnalysisAI

CSRF vulnerability in Turborepo's self-hosted authentication flow allows credential injection attacks when users authenticate the CLI against self-hosted remote cache endpoints. An attacker-controlled web page can send a malicious token to the localhost callback server during the login process. If the malicious callback arrives before the legitimate OAuth response, the CLI completes authentication with attacker-supplied credentials, leading to high integrity impact on subsequent build operations. This affects users of self-hosted Turborepo deployments only - Vercel's hosted device authorization flows are not vulnerable. Fixed in version 2.9.14.

Technical ContextAI

Turborepo is a build system orchestrator for JavaScript/TypeScript monorepos, supporting remote caching to accelerate builds across teams. The affected component is the CLI's OAuth-style authentication flow for self-hosted remote cache servers. During login, the CLI spawns a local HTTP server on localhost to receive the OAuth callback with an authorization code. The vulnerability stems from missing CSRF state parameter validation (CWE-352) - the callback handler accepted any incoming request without verifying the cryptographic state token that binds the authorization request to the callback response. This violates OAuth 2.0 security best practices (RFC 6749 Section 10.12). The affected product is identified by CPE cpe:2.3:a:vercel:turborepo:*:*:*:*:*:*:*:* covering all versions prior to 2.9.14. The CVSS 4.0 vector indicates network-based attack (AV:N) with low complexity (AC:L) but requiring present attack conditions (AT:P) and user interaction (UI:P), resulting in high subsequent integrity impact (SI:H) while vulnerable system integrity impact remains low (VI:L).

RemediationAI

Upgrade Turborepo to version 2.9.14 or later, which implements proper CSRF state parameter validation in the localhost OAuth callback handler. For npm/yarn installations, run 'npm update turbo' or 'yarn upgrade turbo' to install the patched version. The fix adds cryptographic validation to ensure callback requests originate from the same authorization flow initiated by the CLI. Official vendor advisory with technical details is available at https://github.com/vercel/turborepo/security/advisories/GHSA-hcf7-66rw-9f5r. For organizations unable to immediately upgrade, implement compensating controls with trade-offs: (1) Restrict CLI authentication to trusted networks only - limits where 'turbo login' can be executed but may disrupt remote developer workflows. (2) Educate developers to avoid browsing untrusted websites during CLI authentication flows - relies on user behavior change, difficult to enforce. (3) Use short-lived authentication tokens and rotate frequently - reduces window of compromised credential utility but increases operational overhead. (4) Monitor authentication logs for anomalous token usage patterns (e.g., tokens used from unexpected IP ranges immediately after issuance). Note that workarounds provide incomplete protection; upgrading to 2.9.14 is the only complete remediation.

Share

CVE-2026-45773 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy