CVE-2026-45772 Overview
CVE-2026-45772 affects Vercel Turborepo, a high-performance build system for JavaScript and TypeScript codebases. Versions from 1.1.0 to before 2.9.14 can execute arbitrary code when run inside untrusted repositories containing malicious Yarn configuration. The package manager detection logic invokes yarn --version from the project directory, which causes Yarn to load and execute a project-controlled yarnPath defined in .yarnrc.yml. Attackers who control repository contents can trigger code execution when developers or CI systems run affected turbo, @turbo/codemod, or @turbo/workspace conversion commands. The vulnerability is fixed in version 2.9.14.
Critical Impact
Cloning and running Turborepo commands against an attacker-controlled repository results in arbitrary code execution on the developer workstation or CI runner.
Affected Products
- Vercel Turborepo versions 1.1.0 through 2.9.13
- @turbo/codemod package shipped with affected Turborepo releases
- @turbo/workspace conversion tooling shipped with affected Turborepo releases
Discovery Timeline
- 2026-05-15 - CVE-2026-45772 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-45772
Vulnerability Analysis
The flaw is a search path manipulation issue classified as [CWE-426] Untrusted Search Path. Turborepo determines which package manager a project uses by spawning yarn --version inside the target repository. Modern Yarn (Berry) honors the yarnPath directive in .yarnrc.yml, which points to a JavaScript file that Yarn loads and executes before processing any command. When yarnPath references a file committed to the repository, simply running version detection executes that file under the current user's privileges. The condition is reachable through routine commands such as turbo run, codemod migrations, and workspace conversion utilities.
Root Cause
The root cause is implicit trust in repository-local configuration during environment discovery. Turborepo treats yarn --version as a benign capability probe, but Yarn's design promotes yarnPath over the system binary. The detection routine does not isolate this probe, validate .yarnrc.yml, or pin execution to a known Yarn installation outside the repository.
Attack Vector
An attacker publishes or contributes to a repository containing a crafted .yarnrc.yml with yarnPath pointing to a malicious script committed alongside it. When a victim clones the repository and runs any affected Turborepo command, package manager detection invokes Yarn, which loads the attacker's script. Execution occurs without user interaction beyond running the standard Turborepo entry point and inherits the privileges of the developer or CI service account.
The vulnerability mechanism is documented in the Turborepo GitHub Security Advisory GHSA-3qcw-2rhx-2726. No public proof-of-concept exploit is available at this time.
Detection Methods for CVE-2026-45772
Indicators of Compromise
- Presence of .yarnrc.yml in untrusted repositories with a yarnPath directive referencing a repository-local file
- Child processes spawned by turbo, @turbo/codemod, or @turbo/workspace invoking Node.js against files inside the cloned repository tree
- Outbound network connections initiated by Node.js shortly after turbo command execution on a freshly cloned repository
Detection Strategies
- Audit repositories and CI workspaces for .yarnrc.yml files containing a yarnPath entry, and flag paths that resolve inside the repository
- Monitor for yarn --version invocations followed by execution of arbitrary .js, .cjs, or .mjs files from the working directory
- Inventory installed Turborepo versions across developer machines and CI images, and alert on any version below 2.9.14
Monitoring Recommendations
- Enable process lineage logging on CI runners to capture parent-child relationships between turbo and downstream interpreters
- Alert on first-seen executables launched from repository checkouts during build steps
- Track EDR telemetry for Node.js processes spawning shells, network clients, or credential access utilities after Turborepo commands
How to Mitigate CVE-2026-45772
Immediate Actions Required
- Upgrade Turborepo to version 2.9.14 or later across all developer workstations and CI environments
- Treat unfamiliar repositories as untrusted and review .yarnrc.yml before running any Turborepo command against them
- Rotate any credentials or tokens that may have been exposed on hosts that executed Turborepo commands against untrusted repositories
Patch Information
Vercel released the fix in Turborepo 2.9.14. The advisory and remediation details are published in the Vercel Turborepo Security Advisory GHSA-3qcw-2rhx-2726. Update via the standard package manager workflow, for example npm install turbo@latest or pnpm add -D turbo@latest.
Workarounds
- Run Turborepo only against repositories whose contents are trusted and reviewed
- Inspect and remove any repository-local yarnPath entries in .yarnrc.yml before executing Turborepo commands
- Execute Turborepo commands inside ephemeral, sandboxed containers with no access to credentials or production networks until upgrades complete
# Update Turborepo to the patched release
npm install --save-dev turbo@2.9.14
# Inspect untrusted repositories before running turbo
grep -R "yarnPath" .yarnrc.yml 2>/dev/null
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
