Turborepo builds JavaScript and TypeScript codebases, and between versions 1.1.0 and before 2.9.14 it can execute arbitrary code when a user or CI system runs turbo commands on a repository that contains a malicious .yarnrc.yml. During Yarn Berry detection the tool runs yarn --version from the project directory, which may trigger Yarn to load a project‑controlled yarnPath. An attacker who controls repository contents can place malicious code in the yarnPath and have it executed when turbo, @turbo/codemod, or @turbo/workspace conversion commands run. This flaw allows attackers to run code with the privileges of the user or CI job.

The affected products are Turborepo by Vercel, with vulnerable releases from 1.1.0 up to (but not including) 2.9.14, as well as the related @turbo/codemod and @turbo/workspaces packages. Upgrade to 2.9.14 or later eliminates the flaw.

The flaw enables arbitrary code execution on the local system or within CI pipelines. No CVSS score is provided in the advisory, so the numerical severity cannot be stated. The vulnerability is not listed in CISA's KEV catalog. The likely attack vector involves an attacker placing a malicious repository that is later processed by a user or automated build via turbo. Because the vulnerability is triggered by Yarn Berry detection, it will be activated whenever those tools run on a repository containing a crafted .yarnrc.yml. In environments where untrusted code is routinely processed, the risk is significant.