Trubo: Login callback CSRF/session fixation

Impact Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the...

EUVD-2026-30553

Trubo: Login callback CSRF/session fixation...

CVE-2026-45773

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a...

Turborepo 跨站请求伪造漏洞

Turborepo is a high-performance JavaScript and TypeScript build system open source by Vercel. Versions of Turborepo prior to 2.9.14 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from the lack of validation of the CSRF status value on the localhost callback in t...

PT-2026-41312

Name of the Vulnerable Software and Affected Versions Turborepo versions prior to 2.9.14 Description Turborepo is a high-performance build system for JavaScript and TypeScript codebases. The self-hosted login and SSO browser flows fail to validate a CSRF Cross-Site Request Forgery state value on...