PT-2026-41312 · Turborepo · Turborepo
Published
2026-05-15
·
Updated
2026-05-19
·
CVE-2026-45773
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Turborepo versions prior to 2.9.14
Description
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. The self-hosted login and SSO browser flows fail to validate a CSRF (Cross-Site Request Forgery) state value on the localhost callback. While the CLI awaits authentication, a malicious web page can send a request to the local callback server using an attacker-controlled token. If this request is processed before the legitimate callback, the CLI may complete the login process using incorrect credentials. This issue specifically affects users authenticating the turbo CLI against self-hosted remote cache or authentication endpoints.
Recommendations
Update to version 2.9.14.
Exploit
Fix
CSRF
Session Fixation
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Turborepo