Skip to content
Activamente explotadaCVSS 9.6 · CRITICAL

CVE-2026-45321

TanStack contains an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry to publish credential-stealing malware under a trusted identity.

Ver en NVD

Severidad

Puntaje: 9.6(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: REQUIRED
S: CHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-506

CISA KEV

Agregada al KEV: 2026-05-27
Fecha límite federal: 2026-06-10
Uso conocido en ransomware: Unknown
Acción requerida

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

EPSS

Probabilidad de explotación (próx. 30 días): 0.0003 (0.0%)
Percentil: 8.1%
EPSS: 2026-05-27

Afecta

tanstack:tanstack\/arktype-adaptertanstack:tanstack\/eslint-plugin-routertanstack:tanstack\/eslint-plugin-starttanstack:tanstack\/historytanstack:tanstack\/nitro-v2-vite-plugintanstack:tanstack\/react-routertanstack:tanstack\/react-router-devtoolstanstack:tanstack\/react-router-ssr-querytanstack:tanstack\/react-starttanstack:tanstack\/react-start-clienttanstack:tanstack\/react-start-rsctanstack:tanstack\/react-start-servertanstack:tanstack\/router-clitanstack:tanstack\/router-coretanstack:tanstack\/router-devtoolstanstack:tanstack\/router-devtools-coretanstack:tanstack\/router-generatortanstack:tanstack\/router-plugintanstack:tanstack\/router-ssr-query-coretanstack:tanstack\/router-utilstanstack:tanstack\/router-vite-plugintanstack:tanstack\/solid-routertanstack:tanstack\/solid-router-devtoolstanstack:tanstack\/solid-router-ssr-querytanstack:tanstack\/solid-starttanstack:tanstack\/solid-start-clienttanstack:tanstack\/solid-start-servertanstack:tanstack\/start-client-coretanstack:tanstack\/start-fn-stubstanstack:tanstack\/start-plugin-coretanstack:tanstack\/start-server-coretanstack:tanstack\/start-static-server-functionstanstack:tanstack\/start-storage-contexttanstack:tanstack\/valibot-adaptertanstack:tanstack\/virtual-file-routestanstack:tanstack\/vue-routertanstack:tanstack\/vue-router-devtoolstanstack:tanstack\/vue-router-ssr-querytanstack:tanstack\/vue-starttanstack:tanstack\/vue-start-clienttanstack:tanstack\/vue-start-servertanstack:tanstack\/zod-adapter

Descripción técnica

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.

Publicada: 12/5/2026, 1:16:46
Última modificación: 27/5/2026, 20:18:55

Referencias

InicioEventosBlogRecursosEquipo