GHSA-hcf7-66rw-9f5r
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hcf7-66rw-9f5r
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-hcf7-66rw-9f5r/GHSA-hcf7-66rw-9f5r.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hcf7-66rw-9f5r
- Aliases
-
- CVE-2026-45773
- Published
- 2026-05-19T19:49:52Z
- Modified
- 2026-05-19T20:00:09.310391624Z
- Severity
-
- 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:H/SA:N CVSS Calculator
- Summary
- Trubo: Login callback CSRF/session fixation
- Details
-
Impact
Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the legitimate callback, the CLI could complete login with the wrong credentials.
This affects users authenticating the
turboCLI against self-hosted remote cache/auth endpoints. Vercel-hosted login flows using device authorization are not affected.Fix
The login and SSO redirect flows now generate a random state value, include it in the browser authentication URL, and require the same value on the localhost callback before accepting a token. Callbacks with a missing or mismatched state are rejected.
Workarounds
If you cannot upgrade immediately, avoid browser-based self-hosted
turbo loginor SSO flows on machines that may load untrusted web content during authentication. Use a pre-provisioned token or environment-based authentication instead. - Database specific
{ "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": "2026-05-15T16:16:15Z", "github_reviewed_at": "2026-05-19T19:49:52Z", "cwe_ids": [ "CWE-352" ] }- References
Affected packages
npm / turbo
Package
- Name
- turbo
- View open source insights on deps.dev
- Purl
- pkg:npm/turbo