Turborepo Arbitrary Code Execution Vulnerability in Yarn Configuration

A vulnerability allowing arbitrary code execution has been identified in Turborepo versions 1.1.0 prior to 2.9.14. This issue arises when Turborepo is run in untrusted repositories containing malicious Yarn configuration. The vulnerability exploits the package manager detection process, which executes 'yarn --version' from the project directory. This can lead Yarn to load and execute a user-controlled 'yarnPath' from '.yarnrc.yml'. An attacker controlling the repository contents could trigger code execution when affected Turborepo commands are executed.

Impact

Exploitation of this vulnerability could lead to unexpected local code execution during Yarn Berry detection.

Remediation

Users can upgrade to Turborepo version 2.9.14 or later to address this vulnerability. If an immediate upgrade is not possible, it is recommended to avoid running Turborepo commands in untrusted repositories and to review or remove any '.yarnrc.yml' files that specify 'yarnPath' before executing Turborepo, particularly in CI or automated environments that handle external projects.