AIKIDO-2026-427079
turbo is vulnerable to Path Traversal
37
Low Risk
This Affects:
turboTL;DR
The Turborepo CLI restores remote cache archives, copies prune patch files, serves a local query API, and invokes git using repository-controlled inputs. Before the fix, chained archive symlinks could resolve outside the repo root, prune patch paths and query file reads lacked realpath confinement, and SCM refs starting with - could inject git options such as --output. Repo-configured login URLs could also redirect browser auth to attacker-controlled hosts. The release hardens archive restore with anchor realpath checks, confines prune and query paths, strips dangerous mode bits from cache restore, rejects option-like git refs, and blocks untrusted repo-sourced auth redirects unless explicitly user supplied.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
turbo is vulnerable to Path Traversal in versions 1.0.0 - 2.9.17.
How to fix this
Upgrade the turbo library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant