TanStack Unspecified Vulnerability
TanStack — TanStack
- Added to KEV catalog
- 27 May 2026
- Federal remediation due date
- 10 June 2026
AI Breakdown
What it is
CVE-2026-45321 is an unspecified vulnerability in TanStack that allowed attackers to publish malicious versions of its packages to the npm registry. These malicious versions, disguised as trusted updates, contained credential-stealing malware. The attackers achieved this by exploiting a series of GitHub Actions misconfigurations to gain unauthorized publishing capabilities.
Why it matters
This vulnerability is critical because it has been actively exploited and used in known ransomware campaigns. The unauthorized publishing of malware under a trusted identity poses a severe risk, as users could unknowingly install credential-stealing software. Its presence on the CISA Known Exploited Vulnerabilities catalog highlights the urgent need for immediate action.
Recommended action
Organizations must immediately prioritize applying any available mitigations or patches provided by the vendor for TanStack products. If vendor mitigations are not available, discontinue use of the affected products without delay. Additionally, follow all applicable guidance from CISA's Binding Operational Directive 22-01 for cloud services to reduce exposure.
AI-generated from CISA and NVD data — treat as a starting point, not a substitute for your own risk assessment.
CISA Description
TanStack contains an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry to publish credential-stealing malware under a trusted identity.
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes
This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx ; https://nvd.nist.gov/vuln/detail/CVE-2026-45321
NVD Technical Description
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
Is this vulnerability present in your environment?
CRS delivers independent VAPT assessments that identify exactly which known-exploited vulnerabilities exist in your network, applications, and infrastructure.
Explore VAPT Services