CRITICAL 9.8

GHSA-3qcw-2rhx-2726

Turbo: Unexpected local code execution during Yarn Berry detection

Details

### Impact

Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed `yarn --version` from the project directory, which could cause Yarn to load and execute a project-controlled `yarnPath` from `.yarnrc.yml`. An attacker who controls repository contents could cause code execution when a user or CI system runs affected `turbo`, `@turbo/codemod`, or `@turbo/workspace` conversion commands.

### Fix

Turbo now avoids executing project-local Yarn during package manager detection. Yarn versions and paths are inferred from metadata such as `package.json`, parsing the value of `yarnPath` in `.yarnrc.yml` rather than executing it, and `yarn.lock`, and unrecognized Yarn lockfile formats are rejected instead of falling back to executing `yarn`.

### Workarounds

If you cannot upgrade immediately, do not run Turborepo commands in untrusted repositories. Review or remove `.yarnrc.yml` files that define `yarnPath` before running Turborepo, especially in CI or automated tooling that processes external projects.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / turbo

Introduced in: 1.1.0 Fixed in: 2.9.14

Fix npm install turbo@2.9.14

npm / @turbo/codemod

Introduced in: 2.3.4 Fixed in: 2.9.14

Fix npm install @turbo/codemod@2.9.14

npm / @turbo/workspaces

Introduced in: 2.3.4 Fixed in: 2.9.14

Fix npm install @turbo/workspaces@2.9.14

References

https://github.com/vercel/turborepo/security/advisories/GHSA-3qcw-2rhx-2726 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-45772 [ADVISORY]
https://github.com/vercel/turborepo [PACKAGE]