Description
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14000, the Turborepo LSP VS Code extension could execute shell commands derived from workspace-controlled values. The extension used string-based command execution for Turborepo daemon commands and task runs. A malicious workspace could provide crafted values through workspace settings or task names in the repository's source code that were interpolated into shell commands. When the extension activated or when a user ran a task through the extension, those values could be interpreted by the user's shell, allowing arbitrary command execution with the privileges of the local VS Code process. This vulnerability is fixed in 2.9.14000.
Published: 2026-05-15
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Turborepo LSP VS Code extension prior to version 2.9.14000 allows an attacker to inject arbitrary shell commands that are derived from values controlled by the workspace. These values are taken from workspace settings or task names in the repository’s source code and are interpolated into string-based command execution calls. If a malicious workspace is loaded or a task is run through the extension, the shell interprets the crafted input, enabling the attacker to execute any command with the privileges of the local VS Code process. This flaw can be exploited to compromise the confidentiality, integrity, and availability of the user’s system.

Affected Systems

This vulnerability impacts the Turborepo LSP VS Code extension for Vercel’s Turborepo. Any installation of the extension with a version earlier than 2.9.14000 that references workspace‑controlled settings or task names is vulnerable.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, but the exploit path requires the victim to open a malicious workspace or execute a task that contains crafted values. The likely attack vector is local: a malicious code base that a user opens in VS Code or a malicious task definition that is executed through the extension. The exploitation is straightforward once the conditions are met, and the attacker obtains full command‑execution capabilities on the host running VS Code.

Generated by OpenCVE AI on May 15, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Turborepo VS Code extension to version 2.9.14000 or newer
  • If an upgrade cannot be performed, uninstall or disable the Turborepo LSP extension to prevent command execution
  • Review workspace settings and task definitions to ensure they do not contain untrusted or arbitrary values before opening the workspace

Generated by OpenCVE AI on May 15, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Vercel turborepo Language Server Protocol
CPEs cpe:2.3:a:vercel:turborepo:*:*:*:*:*:*:*:* cpe:2.3:a:vercel:turborepo_language_server_protocol:*:*:*:*:*:visual_studio_code:*:*
Vendors & Products Vercel turborepo Language Server Protocol

Tue, 19 May 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vercel:turborepo:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Sun, 17 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Vercel
Vercel turborepo
Vendors & Products Vercel
Vercel turborepo

Fri, 15 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14000, the Turborepo LSP VS Code extension could execute shell commands derived from workspace-controlled values. The extension used string-based command execution for Turborepo daemon commands and task runs. A malicious workspace could provide crafted values through workspace settings or task names in the repository's source code that were interpolated into shell commands. When the extension activated or when a user ran a task through the extension, those values could be interpreted by the user's shell, allowing arbitrary command execution with the privileges of the local VS Code process. This vulnerability is fixed in 2.9.14000.
Title Turborepo: VSCode Extension command injection
Weaknesses CWE-77
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Vercel Turborepo Turborepo Language Server Protocol
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T18:05:01.165Z

Reserved: 2026-05-14T19:12:32.754Z

Link: CVE-2026-46508

cve-icon Vulnrichment

Updated: 2026-05-15T18:01:26.972Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-15T16:16:15.420

Modified: 2026-05-19T15:12:37.957

Link: CVE-2026-46508

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T17:01:34Z

Weaknesses