CRITICAL 9.8

GHSA-3qcw-2rhx-2726

Turbo: Unexpected local code execution during Yarn Berry detection

상세

### Impact

Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed `yarn --version` from the project directory, which could cause Yarn to load and execute a project-controlled `yarnPath` from `.yarnrc.yml`. An attacker who controls repository contents could cause code execution when a user or CI system runs affected `turbo`, `@turbo/codemod`, or `@turbo/workspace` conversion commands.

### Fix

Turbo now avoids executing project-local Yarn during package manager detection. Yarn versions and paths are inferred from metadata such as `package.json`, parsing the value of `yarnPath` in `.yarnrc.yml` rather than executing it, and `yarn.lock`, and unrecognized Yarn lockfile formats are rejected instead of falling back to executing `yarn`.

### Workarounds

If you cannot upgrade immediately, do not run Turborepo commands in untrusted repositories. Review or remove `.yarnrc.yml` files that define `yarnPath` before running Turborepo, especially in CI or automated tooling that processes external projects.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / turbo

최초 영향 버전: 1.1.0 수정 버전: 2.9.14

수정 npm install turbo@2.9.14

npm / @turbo/codemod

최초 영향 버전: 2.3.4 수정 버전: 2.9.14

수정 npm install @turbo/codemod@2.9.14

npm / @turbo/workspaces

최초 영향 버전: 2.3.4 수정 버전: 2.9.14

수정 npm install @turbo/workspaces@2.9.14

참고

https://github.com/vercel/turborepo/security/advisories/GHSA-3qcw-2rhx-2726 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-45772 [ADVISORY]
https://github.com/vercel/turborepo [PACKAGE]