MEDIUM · CVSS 6.5
CVE-2024-21656 — Turborepo path traversal in cached outputs
Turborepo's remote-cache implementation allowed crafted cache entries to escape the expected output directory, writing arbitrary files on a developer's machine when restoring the cache.
Affects
- turborepo < 1.12.5
What an attacker does
An attacker with write access to a remote Turborepo cache (compromised CI credentials, compromised team member) could publish a poisoned cache entry. Team members running `turbo run build` restored the cache; crafted paths escaped the per-package output directory.
How to detect
`npm ls turbo`.
How to fix
Upgrade Turborepo to 1.12.5+. Also: rotate any remote-cache write tokens that may have been shared broadly.
How Securie catches it
Securie flags monorepos with vulnerable Turborepo + audits cache-token scope.