CVE-2026-45321

critical KEV

Published 2026-05-12 · Modified 2026-05-13

CVSS v3

9.6

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVSS v2

—

VIR risk

10.0

Description

Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

CISA KEV

Vendor: TanStack
Product: TanStack
Due date: 2026-06-10

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cisa-kev — This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx ; https://nvd.nist.gov/vuln/detail/CVE-2026-45321

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://tanstack.com/blog/npm-supply-chain-compromise-postmortem

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx

Exploits

Package impact

Ecosystem	Package	Vulnerable	Fixed
npm	@tanstack/arktype-adapter	`>=1.166.12,<1.166.16`	`1.166.16`
npm	@tanstack/eslint-plugin-router	`>=1.161.9,<1.161.13`	`1.161.13`
npm	@tanstack/eslint-plugin-start	`>=0.0.4,<0.0.8`	`0.0.8`
npm	@tanstack/history	`>=1.161.9,<1.161.13`	`1.161.13`
npm	@tanstack/nitro-v2-vite-plugin	`>=1.154.12,<1.154.16`	`1.154.16`
npm	@tanstack/react-router	`>=1.169.5,<1.169.9`	`1.169.9`
npm	@tanstack/react-router-devtools	`>=1.166.16,<1.166.20`	`1.166.20`
npm	@tanstack/react-router-ssr-query	`>=1.166.15,<1.166.19`	`1.166.19`
npm	@tanstack/react-start	`>=1.167.68,<1.167.72`	`1.167.72`
npm	@tanstack/react-start-client	`>=1.166.51,<1.166.55`	`1.166.55`
npm	@tanstack/react-start-rsc	`>=0.0.47,<0.0.51`	`0.0.51`
npm	@tanstack/react-start-server	`>=1.166.55,<1.166.59`	`1.166.59`
npm	@tanstack/router-cli	`>=1.166.46,<1.166.50`	`1.166.50`
npm	@tanstack/router-core	`>=1.169.5,<1.169.9`	`1.169.9`
npm	@tanstack/router-devtools	`>=1.166.16,<1.166.20`	`1.166.20`
npm	@tanstack/router-devtools-core	`>=1.167.6,<1.167.10`	`1.167.10`
npm	@tanstack/router-generator	`>=1.166.45,<1.166.49`	`1.166.49`
npm	@tanstack/router-plugin	`>=1.167.38,<1.167.42`	`1.167.42`
npm	@tanstack/router-ssr-query-core	`>=1.168.3,<1.168.7`	`1.168.7`
npm	@tanstack/router-utils	`>=1.161.11,<1.161.15`	`1.161.15`
npm	@tanstack/router-vite-plugin	`>=1.166.53,<1.166.57`	`1.166.57`
npm	@tanstack/solid-router	`>=1.169.5,<1.169.9`	`1.169.9`
npm	@tanstack/solid-router-devtools	`>=1.166.16,<1.166.20`	`1.166.20`
npm	@tanstack/solid-router-ssr-query	`>=1.166.15,<1.166.19`	`1.166.19`
npm	@tanstack/solid-start	`>=1.167.65,<1.167.69`	`1.167.69`
npm	@tanstack/solid-start-client	`>=1.166.50,<1.166.54`	`1.166.54`
npm	@tanstack/solid-start-server	`>=1.166.54,<1.166.58`	`1.166.58`
npm	@tanstack/start-client-core	`>=1.168.5,<1.168.9`	`1.168.9`
npm	@tanstack/start-fn-stubs	`>=1.161.9,<1.161.13`	`1.161.13`
npm	@tanstack/start-plugin-core	`>=1.169.23,<1.169.27`	`1.169.27`
npm	@tanstack/start-server-core	`>=1.167.33,<1.167.37`	`1.167.37`
npm	@tanstack/start-static-server-functions	`>=1.166.44,<1.166.48`	`1.166.48`
npm	@tanstack/start-storage-context	`>=1.166.38,<1.166.42`	`1.166.42`
npm	@tanstack/valibot-adapter	`>=1.166.12,<1.166.16`	`1.166.16`
npm	@tanstack/virtual-file-routes	`>=1.161.10,<1.161.14`	`1.161.14`
npm	@tanstack/vue-router	`>=1.169.5,<1.169.9`	`1.169.9`
npm	@tanstack/vue-router-devtools	`>=1.166.16,<1.166.20`	`1.166.20`
npm	@tanstack/vue-router-ssr-query	`>=1.166.15,<1.166.19`	`1.166.19`
npm	@tanstack/vue-start	`>=1.167.61,<1.167.65`	`1.167.65`
npm	@tanstack/vue-start-client	`>=1.166.46,<1.166.50`	`1.166.50`
npm	@tanstack/vue-start-server	`>=1.166.50,<1.166.54`	`1.166.54`
npm	@tanstack/zod-adapter	`>=1.166.12,<1.166.16`	`1.166.16`
npm	@tanstack/arktype-adapter	`>=1.166.15,<1.166.16`	`1.166.16`
npm	@tanstack/eslint-plugin-router	`>=1.161.12,<1.161.13`	`1.161.13`
npm	@tanstack/eslint-plugin-start	`>=0.0.7,<0.0.8`	`0.0.8`
npm	@tanstack/history	`>=1.161.12,<1.161.13`	`1.161.13`
npm	@tanstack/nitro-v2-vite-plugin	`>=1.154.15,<1.154.16`	`1.154.16`
npm	@tanstack/react-router	`>=1.169.8,<1.169.9`	`1.169.9`
npm	@tanstack/react-router-devtools	`>=1.166.19,<1.166.20`	`1.166.20`
npm	@tanstack/react-router-ssr-query	`>=1.166.18,<1.166.19`	`1.166.19`
npm	@tanstack/react-start	`>=1.167.71,<1.167.72`	`1.167.72`
npm	@tanstack/react-start-client	`>=1.166.54,<1.166.55`	`1.166.55`
npm	@tanstack/react-start-rsc	`>=0.0.50,<0.0.51`	`0.0.51`
npm	@tanstack/react-start-server	`>=1.166.58,<1.166.59`	`1.166.59`
npm	@tanstack/router-cli	`>=1.166.49,<1.166.50`	`1.166.50`
npm	@tanstack/router-core	`>=1.169.8,<1.169.9`	`1.169.9`
npm	@tanstack/router-devtools	`>=1.166.19,<1.166.20`	`1.166.20`
npm	@tanstack/router-devtools-core	`>=1.167.9,<1.167.10`	`1.167.10`
npm	@tanstack/router-generator	`>=1.166.48,<1.166.49`	`1.166.49`
npm	@tanstack/router-plugin	`>=1.167.41,<1.167.42`	`1.167.42`
npm	@tanstack/router-ssr-query-core	`>=1.168.6,<1.168.7`	`1.168.7`
npm	@tanstack/router-utils	`>=1.161.14,<1.161.15`	`1.161.15`
npm	@tanstack/router-vite-plugin	`>=1.166.56,<1.166.57`	`1.166.57`
npm	@tanstack/solid-router	`>=1.169.8,<1.169.9`	`1.169.9`
npm	@tanstack/solid-router-devtools	`>=1.166.19,<1.166.20`	`1.166.20`
npm	@tanstack/solid-router-ssr-query	`>=1.166.18,<1.166.19`	`1.166.19`
npm	@tanstack/solid-start	`>=1.167.68,<1.167.69`	`1.167.69`
npm	@tanstack/solid-start-client	`>=1.166.53,<1.166.54`	`1.166.54`
npm	@tanstack/solid-start-server	`>=1.166.57,<1.166.58`	`1.166.58`
npm	@tanstack/start-client-core	`>=1.168.8,<1.168.9`	`1.168.9`
npm	@tanstack/start-fn-stubs	`>=1.161.12,<1.161.13`	`1.161.13`
npm	@tanstack/start-plugin-core	`>=1.169.26,<1.169.27`	`1.169.27`
npm	@tanstack/start-server-core	`>=1.167.36,<1.167.37`	`1.167.37`
npm	@tanstack/start-static-server-functions	`>=1.166.47,<1.166.48`	`1.166.48`
npm	@tanstack/start-storage-context	`>=1.166.41,<1.166.42`	`1.166.42`
npm	@tanstack/valibot-adapter	`>=1.166.15,<1.166.16`	`1.166.16`
npm	@tanstack/virtual-file-routes	`>=1.161.13,<1.161.14`	`1.161.14`
npm	@tanstack/vue-router	`>=1.169.8,<1.169.9`	`1.169.9`
npm	@tanstack/vue-router-devtools	`>=1.166.19,<1.166.20`	`1.166.20`
npm	@tanstack/vue-router-ssr-query	`>=1.166.18,<1.166.19`	`1.166.19`
npm	@tanstack/vue-start	`>=1.167.64,<1.167.65`	`1.167.65`
npm	@tanstack/vue-start-client	`>=1.166.49,<1.166.50`	`1.166.50`
npm	@tanstack/vue-start-server	`>=1.166.53,<1.166.54`	`1.166.54`
npm	@tanstack/zod-adapter	`>=1.166.15,<1.166.16`	`1.166.16`
NPM	@tanstack/zod-adapter	`= 1.166.15`	`1.166.16`
NPM	@tanstack/vue-start-server	`= 1.166.53`	`1.166.54`
NPM	@tanstack/vue-start-client	`= 1.166.49`	`1.166.50`
NPM	@tanstack/vue-start	`= 1.167.64`	`1.167.65`
NPM	@tanstack/vue-router-ssr-query	`= 1.166.18`	`1.166.19`
NPM	@tanstack/vue-router-devtools	`= 1.166.19`	`1.166.20`
NPM	@tanstack/vue-router	`= 1.169.8`	`1.169.9`
NPM	@tanstack/virtual-file-routes	`= 1.161.13`	`1.161.14`
NPM	@tanstack/valibot-adapter	`= 1.166.15`	`1.166.16`
NPM	@tanstack/start-storage-context	`= 1.166.41`	`1.166.42`
NPM	@tanstack/start-static-server-functions	`= 1.166.47`	`1.166.48`
NPM	@tanstack/start-server-core	`= 1.167.36`	`1.167.37`
NPM	@tanstack/start-plugin-core	`= 1.169.26`	`1.169.27`
NPM	@tanstack/start-fn-stubs	`= 1.161.12`	`1.161.13`
NPM	@tanstack/start-client-core	`= 1.168.8`	`1.168.9`
NPM	@tanstack/solid-start-server	`= 1.166.57`	`1.166.58`
NPM	@tanstack/solid-start-client	`= 1.166.53`	`1.166.54`
NPM	@tanstack/solid-start	`= 1.167.68`	`1.167.69`
NPM	@tanstack/solid-router-ssr-query	`= 1.166.18`	`1.166.19`
NPM	@tanstack/solid-router-devtools	`= 1.166.19`	`1.166.20`
NPM	@tanstack/solid-router	`= 1.169.8`	`1.169.9`
NPM	@tanstack/router-vite-plugin	`= 1.166.56`	`1.166.57`
NPM	@tanstack/router-utils	`= 1.161.14`	`1.161.15`
NPM	@tanstack/router-ssr-query-core	`= 1.168.6`	`1.168.7`
NPM	@tanstack/router-plugin	`= 1.167.41`	`1.167.42`
NPM	@tanstack/router-generator	`= 1.166.48`	`1.166.49`
NPM	@tanstack/router-devtools-core	`= 1.167.9`	`1.167.10`
NPM	@tanstack/router-devtools	`= 1.166.19`	`1.166.20`
NPM	@tanstack/router-core	`= 1.169.8`	`1.169.9`
NPM	@tanstack/router-cli	`= 1.166.49`	`1.166.50`
NPM	@tanstack/react-start-server	`= 1.166.58`	`1.166.59`
NPM	@tanstack/react-start-rsc	`= 0.0.50`	`0.0.51`
NPM	@tanstack/react-start-client	`= 1.166.54`	`1.166.55`
NPM	@tanstack/react-start	`= 1.167.71`	`1.167.72`
NPM	@tanstack/react-router-ssr-query	`= 1.166.18`	`1.166.19`
NPM	@tanstack/react-router-devtools	`= 1.166.19`	`1.166.20`
NPM	@tanstack/react-router	`= 1.169.8`	`1.169.9`
NPM	@tanstack/nitro-v2-vite-plugin	`= 1.154.15`	`1.154.16`
NPM	@tanstack/history	`= 1.161.12`	`1.161.13`
NPM	@tanstack/eslint-plugin-start	`= 0.0.7`	`0.0.8`
NPM	@tanstack/eslint-plugin-router	`= 1.161.12`	`1.161.13`
NPM	@tanstack/arktype-adapter	`= 1.166.15`	`1.166.16`
NPM	@tanstack/zod-adapter	`= 1.166.12`	`1.166.16`
NPM	@tanstack/vue-start-server	`= 1.166.50`	`1.166.54`
NPM	@tanstack/vue-start-client	`= 1.166.46`	`1.166.50`
NPM	@tanstack/vue-start	`= 1.167.61`	`1.167.65`
NPM	@tanstack/vue-router-ssr-query	`= 1.166.15`	`1.166.19`
NPM	@tanstack/vue-router-devtools	`= 1.166.16`	`1.166.20`
NPM	@tanstack/vue-router	`= 1.169.5`	`1.169.9`
NPM	@tanstack/virtual-file-routes	`= 1.161.10`	`1.161.14`
NPM	@tanstack/valibot-adapter	`= 1.166.12`	`1.166.16`
NPM	@tanstack/start-storage-context	`= 1.166.38`	`1.166.42`
NPM	@tanstack/start-static-server-functions	`= 1.166.44`	`1.166.48`
NPM	@tanstack/start-server-core	`= 1.167.33`	`1.167.37`
NPM	@tanstack/start-plugin-core	`= 1.169.23`	`1.169.27`
NPM	@tanstack/start-fn-stubs	`= 1.161.9`	`1.161.13`
NPM	@tanstack/start-client-core	`= 1.168.5`	`1.168.9`
NPM	@tanstack/solid-start-server	`= 1.166.54`	`1.166.58`
NPM	@tanstack/solid-start-client	`= 1.166.50`	`1.166.54`
NPM	@tanstack/solid-start	`= 1.167.65`	`1.167.69`
NPM	@tanstack/solid-router-ssr-query	`= 1.166.15`	`1.166.19`
NPM	@tanstack/solid-router-devtools	`= 1.166.16`	`1.166.20`
NPM	@tanstack/solid-router	`= 1.169.5`	`1.169.9`
NPM	@tanstack/router-vite-plugin	`= 1.166.53`	`1.166.57`
NPM	@tanstack/router-utils	`= 1.161.11`	`1.161.15`
NPM	@tanstack/router-ssr-query-core	`= 1.168.3`	`1.168.7`
NPM	@tanstack/router-plugin	`= 1.167.38`	`1.167.42`
NPM	@tanstack/router-generator	`= 1.166.45`	`1.166.49`
NPM	@tanstack/router-devtools-core	`= 1.167.6`	`1.167.10`
NPM	@tanstack/router-devtools	`= 1.166.16`	`1.166.20`
NPM	@tanstack/router-core	`= 1.169.5`	`1.169.9`
NPM	@tanstack/router-cli	`= 1.166.46`	`1.166.50`
NPM	@tanstack/react-start-server	`= 1.166.55`	`1.166.59`
NPM	@tanstack/react-start-rsc	`= 0.0.47`	`0.0.51`
NPM	@tanstack/react-start-client	`= 1.166.51`	`1.166.55`
NPM	@tanstack/react-start	`= 1.167.68`	`1.167.72`
NPM	@tanstack/react-router-ssr-query	`= 1.166.15`	`1.166.19`
NPM	@tanstack/react-router-devtools	`= 1.166.16`	`1.166.20`
NPM	@tanstack/react-router	`= 1.169.5`	`1.169.9`
NPM	@tanstack/nitro-v2-vite-plugin	`= 1.154.12`	`1.154.16`
NPM	@tanstack/history	`= 1.161.9`	`1.161.13`
NPM	@tanstack/eslint-plugin-start	`= 0.0.4`	`0.0.8`
NPM	@tanstack/eslint-plugin-router	`= 1.161.9`	`1.161.13`
NPM	@tanstack/arktype-adapter	`= 1.166.12`	`1.166.16`

Application impact

Vendor	Product	Versions
tanstack	tanstack\/arktype-adapter	`1.166.12`
tanstack	tanstack\/arktype-adapter	`1.166.15`
tanstack	tanstack\/eslint-plugin-router	`1.161.9`
tanstack	tanstack\/eslint-plugin-router	`1.161.12`
tanstack	tanstack\/eslint-plugin-start	`0.0.4`
tanstack	tanstack\/eslint-plugin-start	`0.0.7`
tanstack	tanstack\/history	`1.161.9`
tanstack	tanstack\/history	`1.161.12`
tanstack	tanstack\/nitro-v2-vite-plugin	`1.154.12`
tanstack	tanstack\/nitro-v2-vite-plugin	`1.154.15`
tanstack	tanstack\/react-router	`1.169.5`
tanstack	tanstack\/react-router	`1.169.8`
tanstack	tanstack\/react-router-devtools	`1.166.16`
tanstack	tanstack\/react-router-devtools	`1.166.19`
tanstack	tanstack\/react-router-ssr-query	`1.166.15`
tanstack	tanstack\/react-router-ssr-query	`1.166.18`
tanstack	tanstack\/react-start	`1.167.68`
tanstack	tanstack\/react-start	`1.167.71`
tanstack	tanstack\/react-start-client	`1.166.51`
tanstack	tanstack\/react-start-client	`1.166.54`
tanstack	tanstack\/react-start-rsc	`0.0.47`
tanstack	tanstack\/react-start-rsc	`0.0.50`
tanstack	tanstack\/react-start-server	`1.166.55`
tanstack	tanstack\/react-start-server	`1.166.58`
tanstack	tanstack\/router-cli	`1.166.46`
tanstack	tanstack\/router-cli	`1.166.49`
tanstack	tanstack\/router-core	`1.169.5`
tanstack	tanstack\/router-core	`1.169.8`
tanstack	tanstack\/router-devtools	`1.166.16`
tanstack	tanstack\/router-devtools	`1.166.19`
tanstack	tanstack\/router-devtools-core	`1.167.6`
tanstack	tanstack\/router-devtools-core	`1.167.9`
tanstack	tanstack\/router-generator	`1.166.45`
tanstack	tanstack\/router-generator	`1.166.48`
tanstack	tanstack\/router-plugin	`1.167.38`
tanstack	tanstack\/router-plugin	`1.167.41`
tanstack	tanstack\/router-ssr-query-core	`1.168.3`
tanstack	tanstack\/router-ssr-query-core	`1.168.6`
tanstack	tanstack\/router-utils	`1.161.11`
tanstack	tanstack\/router-utils	`1.161.14`
tanstack	tanstack\/router-vite-plugin	`1.166.53`
tanstack	tanstack\/router-vite-plugin	`1.166.56`
tanstack	tanstack\/solid-router	`1.169.5`
tanstack	tanstack\/solid-router	`1.169.8`
tanstack	tanstack\/solid-router-devtools	`1.166.16`
tanstack	tanstack\/solid-router-devtools	`1.166.19`
tanstack	tanstack\/solid-router-ssr-query	`1.166.15`
tanstack	tanstack\/solid-router-ssr-query	`1.166.18`
tanstack	tanstack\/solid-start	`1.167.65`
tanstack	tanstack\/solid-start	`1.167.68`
tanstack	tanstack\/solid-start-client	`1.166.50`
tanstack	tanstack\/solid-start-client	`1.166.53`
tanstack	tanstack\/solid-start-server	`1.166.54`
tanstack	tanstack\/solid-start-server	`1.166.57`
tanstack	tanstack\/start-client-core	`1.168.5`
tanstack	tanstack\/start-client-core	`1.168.8`
tanstack	tanstack\/start-fn-stubs	`1.161.9`
tanstack	tanstack\/start-fn-stubs	`1.161.12`
tanstack	tanstack\/start-plugin-core	`1.169.23`
tanstack	tanstack\/start-plugin-core	`1.169.26`
tanstack	tanstack\/start-server-core	`1.167.33`
tanstack	tanstack\/start-server-core	`1.167.36`
tanstack	tanstack\/start-static-server-functions	`1.166.44`
tanstack	tanstack\/start-static-server-functions	`1.166.47`
tanstack	tanstack\/start-storage-context	`1.166.38`
tanstack	tanstack\/start-storage-context	`1.166.41`
tanstack	tanstack\/valibot-adapter	`1.166.12`
tanstack	tanstack\/valibot-adapter	`1.166.15`
tanstack	tanstack\/virtual-file-routes	`1.161.10`
tanstack	tanstack\/virtual-file-routes	`1.161.13`
tanstack	tanstack\/vue-router	`1.169.5`
tanstack	tanstack\/vue-router	`1.169.8`
tanstack	tanstack\/vue-router-devtools	`1.166.16`
tanstack	tanstack\/vue-router-devtools	`1.166.19`
tanstack	tanstack\/vue-router-ssr-query	`1.166.15`
tanstack	tanstack\/vue-router-ssr-query	`1.166.18`
tanstack	tanstack\/vue-start	`1.167.61`
tanstack	tanstack\/vue-start	`1.167.64`
tanstack	tanstack\/vue-start-client	`1.166.46`
tanstack	tanstack\/vue-start-client	`1.166.49`
tanstack	tanstack\/vue-start-server	`1.166.50`
tanstack	tanstack\/vue-start-server	`1.166.53`
tanstack	tanstack\/zod-adapter	`1.166.12`
tanstack	tanstack\/zod-adapter	`1.166.15`

References

CWEs

CWE-506

Verify integrity in audit chain (admin only). AS-IS.