Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 npm packages depend on turbo (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.9.14.
DescriptionGitHub Advisory
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the legitimate callback, the CLI could complete login with the wrong credentials. This affects users authenticating the turbo CLI against self-hosted remote cache/auth endpoints. Vercel-hosted login flows using device authorization are not affected. This vulnerability is fixed in 2.9.14.
AnalysisAI
CSRF vulnerability in Turborepo's self-hosted authentication flow allows credential injection attacks when users authenticate the CLI against self-hosted remote cache endpoints. An attacker-controlled web page can send a malicious token to the localhost callback server during the login process. If the malicious callback arrives before the legitimate OAuth response, the CLI completes authentication with attacker-supplied credentials, leading to high integrity impact on subsequent build operations. This affects users of self-hosted Turborepo deployments only - Vercel's hosted device authorization flows are not vulnerable. Fixed in version 2.9.14.
Technical ContextAI
Turborepo is a build system orchestrator for JavaScript/TypeScript monorepos, supporting remote caching to accelerate builds across teams. The affected component is the CLI's OAuth-style authentication flow for self-hosted remote cache servers. During login, the CLI spawns a local HTTP server on localhost to receive the OAuth callback with an authorization code. The vulnerability stems from missing CSRF state parameter validation (CWE-352) - the callback handler accepted any incoming request without verifying the cryptographic state token that binds the authorization request to the callback response. This violates OAuth 2.0 security best practices (RFC 6749 Section 10.12). The affected product is identified by CPE cpe:2.3:a:vercel:turborepo:*:*:*:*:*:*:*:* covering all versions prior to 2.9.14. The CVSS 4.0 vector indicates network-based attack (AV:N) with low complexity (AC:L) but requiring present attack conditions (AT:P) and user interaction (UI:P), resulting in high subsequent integrity impact (SI:H) while vulnerable system integrity impact remains low (VI:L).
RemediationAI
Upgrade Turborepo to version 2.9.14 or later, which implements proper CSRF state parameter validation in the localhost OAuth callback handler. For npm/yarn installations, run 'npm update turbo' or 'yarn upgrade turbo' to install the patched version. The fix adds cryptographic validation to ensure callback requests originate from the same authorization flow initiated by the CLI. Official vendor advisory with technical details is available at https://github.com/vercel/turborepo/security/advisories/GHSA-hcf7-66rw-9f5r. For organizations unable to immediately upgrade, implement compensating controls with trade-offs: (1) Restrict CLI authentication to trusted networks only - limits where 'turbo login' can be executed but may disrupt remote developer workflows. (2) Educate developers to avoid browsing untrusted websites during CLI authentication flows - relies on user behavior change, difficult to enforce. (3) Use short-lived authentication tokens and rotate frequently - reduces window of compromised credential utility but increases operational overhead. (4) Monitor authentication logs for anomalous token usage patterns (e.g., tokens used from unexpected IP ranges immediately after issuance). Note that workarounds provide incomplete protection; upgrading to 2.9.14 is the only complete remediation.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30553
GHSA-hcf7-66rw-9f5r