OsVault/npm/turbo
npm

turbo

18 known vulnerabilities · 0 critical · 1 high

GHSA-3qcw-2rhx-2726

Turbo: Unexpected local code execution during Yarn Berry detection

Published May 19, 2026
GHSA-hcf7-66rw-9f5r

Trubo: Login callback CSRF/session fixation

Published May 19, 2026
GHSA-49rj-9fvp-4h2h

React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

Published Jun 3, 2026
MAL-2025-192731

Malicious code in ddos-turbo-ecma (npm)

Published Dec 23, 2025
MAL-2024-1243

Malicious code in @lbnqduy11805/turbo-octo-memory (npm)

Published Apr 10, 2024
MAL-2026-2943

Malicious code in turbo-he (npm)

Published Apr 20, 2026
MAL-2026-2944

Malicious code in turbo-leven (npm)

Published Apr 20, 2026
CVE-2025-66803

Turbo Frame responses can restore stale session cookies

Published Jan 20, 2026
MAL-2025-192732

Malicious code in ddos-turbo-max (npm)

Published Dec 23, 2025
CVE-2024-28181HIGH

TurboBoost Commands vulnerable to arbitrary method invocation

Published Mar 15, 2024
MAL-2025-6304

Malicious code in react-server-dom-turbopack-experimental (npm)

Published Jul 25, 2025
MAL-2026-4695

Malicious code in turbo-axios (npm)

Published May 23, 2026
MAL-2026-1213

Malicious code in turbo-json-parser (npm)

Published Mar 3, 2026
MAL-2026-596

Malicious code in turbotax (npm)

Published Jan 29, 2026
MAL-2023-8466

Malicious code in turbolinks-tests (npm)

Published Nov 6, 2023
MAL-2025-3504

Malicious code in turbo-bike-inspector (npm)

Published Apr 28, 2025
MAL-2026-6040

Malicious code in @mastra/turbopuffer (npm)

Published Jun 17, 2026
MAL-2025-724

Malicious code in turbolinks_jwt_test2 (npm)

Published Jan 31, 2025
Check your entire dependency tree at onceRun dependency scan →