Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14000, the Turborepo LSP VS Code extension could execute shell commands derived from workspace-controlled values. The extension used string-based command execution for Turborepo daemon commands and task runs. A malicious workspace could provide crafted values through workspace settings or task names in the repository's source code that were interpolated into shell commands. When the extension activated or when a user ran a task through the extension, those values could be interpreted by the user's shell, allowing arbitrary command execution with the privileges of the local VS Code process. This vulnerability is fixed in 2.9.14000.
AnalysisAI
Command injection in the Turborepo LSP VS Code extension before version 2.9.14000 allows arbitrary code execution when opening malicious workspaces. The vulnerability stems from unsafe string interpolation in shell commands, enabling attackers to inject commands through workspace settings or task names that execute with the user's VS Code process privileges. The CVSS 4.0 score of 8.4 indicates high severity with local access and user interaction required.
Technical ContextAI
The Turborepo LSP (Language Server Protocol) is a VS Code extension for Turborepo, a JavaScript/TypeScript build system. The vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), where user-controlled input from workspace settings or task names in the repository source code is directly interpolated into shell commands without proper sanitization. The extension executes these commands for Turborepo daemon operations and task runs through string-based command execution.
RemediationAI
Vendor-released patch: upgrade the Turborepo LSP VS Code extension to version 2.9.14000 or later. VS Code users can update through the Extensions marketplace or manually install the patched version. As an immediate workaround until patching, avoid opening untrusted repositories or workspaces in VS Code with the Turborepo extension enabled. Consider disabling the extension when working with third-party codebases. There are no known side effects to upgrading beyond standard extension update procedures.
CSRF vulnerability in Turborepo's self-hosted authentication flow allows credential injection attacks when users authent
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turbo
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30555