Turborepo LSP VS Code Extension Command Injection Vulnerability

A command injection vulnerability has been identified in the Turborepo LSP VS Code extension, affecting versions through 2.9.12000. The issue arises from the extension's use of string-based command execution for Turborepo daemon commands and task runs. A malicious workspace could introduce crafted values through workspace settings or task names, which would be interpolated into shell commands. When the extension was activated or a task was run, these values could be executed by the user's shell, allowing arbitrary command execution with the privileges of the local VS Code process.

Impact

Exploitation of this vulnerability could lead to arbitrary command execution in the user's shell, with the same privileges as the local VS Code process.

Remediation

Users can upgrade to Turborepo LSP VS Code extension version 2.9.14000 or later. If an immediate upgrade is not possible, the extension can be disabled when opening untrusted workspaces and avoid running Turborepo tasks from the extension in repositories that are not trusted.