Description
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the legitimate callback, the CLI could complete login with the wrong credentials. This affects users authenticating the turbo CLI against self-hosted remote cache/auth endpoints. Vercel-hosted login flows using device authorization are not affected. This vulnerability is fixed in 2.9.14.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/vercel/turborepo/security/advisories/GHSA-hcf7-66rw-9f5r
Scores
CVSS v3
6.5
EPSS
0.0002
EPSS Percentile
6.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-352
CWE-384
Status
published
Products (2)
npm/turbo
0 - 2.9.14npm
vercel/turborepo
< 2.9.14 (2 CPE variants)
Published
May 15, 2026
Tracked Since
May 15, 2026