AIKIDO-2026-10952
turbo is vulnerable to Race Condition (TOCTOU)
65
Medium Risk
This Affects:
turboTL;DR
The Turborepo CLI caches and restores task outputs on the local filesystem. Before the fix, symlink and reparse-point races during cache archiving, restore, structured log creation, and directory permission updates could follow attacker-controlled links and read or write files outside the intended cache workspace. A malicious repository layout or concurrent filesystem changes during CI could exploit these gaps to corrupt or read host files, and permissive experimental OpenTelemetry endpoint settings could reach internal or cloud metadata hosts. The fix enforces no-follow handle validation on cache and log paths, closes restore race windows, applies directory modes safely, and rejects unsafe OTEL endpoint hosts.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
turbo is vulnerable to Race Condition (TOCTOU) in versions 0.0.1 - 2.9.14.
How to fix this
Upgrade the turbo library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant