CVE-2026-45772
CRITICAL9.8EPSS 0.10%Turbo: Unexpected local code execution during Yarn Berry detection
描述
### Impact Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed `yarn --version` from the project directory, which could cause Yarn to load and execute a project-controlled `yarnPath` from `.yarnrc.yml`. An attacker who controls repository contents could cause code execution when a user or CI system runs affected `turbo`, `@turbo/codemod`, or `@turbo/workspace` conversion commands. ### Fix Turbo now avoids executing project-local Yarn during package manager detection. Yarn versions and paths are inferred from metadata such as `package.json`, parsing the value of `yarnPath` in `.yarnrc.yml` rather than executing it, and `yarn.lock`, and unrecognized Yarn lockfile formats are rejected instead of falling back to executing `yarn`. ### Workarounds If you cannot upgrade immediately, do not run Turborepo commands in untrusted repositories. Review or remove `.yarnrc.yml` files that define `yarnPath` before running Turborepo, especially in CI or automated tooling that processes external projects.
受影響套件(3)
- npm/turbo>= 1.1.0, < 2.9.14
- npm/@turbo/codemod>= 2.3.4, < 2.9.14
- npm/@turbo/workspaces>= 2.3.4, < 2.9.14
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |