Tanstack Router Setup Vulnerabilities Exposed

EXECUTIVE SUMMARY:

CVE-2026-45321 with a CVSS score of 9.6 is a critical vulnerability affecting multiple npm packages from the @tanstack/* namespace, including @tanstack/arktype-adapter, @tanstack/eslint-plugin-router, @tanstack/history, and others, with affected versions ranging from 0.0.4 to 1.169.9, and patched versions ranging from 0.0.8 to 1.169.9. This vulnerability allows an attacker to publish credential-stealing malware under a trusted identity by chaining three known vulnerability classes: a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning, and runtime memory extraction of the OIDC token from the Actions runner process. An attacker can exploit this vulnerability by requiring a user to install an affected version of the package, which executes a payload at install time that harvests credentials from various locations, exfiltrates the harvested data over the Session/Oxen messenger file-upload network, and enumerates packages maintained by the victim to republish them with the same injection, propagating the compromise across npm. If exploited, an attacker gains the capability to steal sensitive credentials and compromise the security of the affected packages. The business impact and consequences of exploiting this vulnerability are severe, including the potential for data breaches, account takeovers, and reputational damage. Prerequisites or conditions required for exploitation include that the user must have installed an affected version of the package between 2026-05-11, 19:20 UTC and 2026-05-11, 19:26 UTC.[emaillocker id="1283"]

RECOMMENDATION:

• We recommend you to update npm/@tanstack/arktype-adapter to version 1.166.16.
• We recommend you to update npm/@tanstack/eslint-plugin-router to version 1.161.13.
• We recommend you to update npm/@tanstack/eslint-plugin-start to version 0.0.8.
• We recommend you to update npm/@tanstack/history to version 1.161.13.
• We recommend you to update npm/@tanstack/nitro-v2-vite-plugin to version 1.154.16.
• We recommend you to update npm/@tanstack/react-router to version 1.169.9.
• We recommend you to update npm/@tanstack/react-router-devtools to version 1.166.20.
• We recommend you to update npm/@tanstack/react-router-ssr-query to version 1.166.19.
• We recommend you to update npm/@tanstack/react-start to version 1.167.72.
• We recommend you to update npm/@tanstack/react-start-client to version 1.166.55.
• We recommend you to update npm/@tanstack/react-start-rsc to version 0.0.51.
• We recommend you to update npm/@tanstack/react-start-server to version 1.166.59.
• We recommend you to update npm/@tanstack/router-cli to version 1.166.50.
• We recommend you to update npm/@tanstack/router-core to version 1.169.9.
• We recommend you to update npm/@tanstack/router-devtools to version 1.166.20.
• We recommend you to update npm/@tanstack/router-devtools-core to version 1.167.10.
• We recommend you to update npm/@tanstack/router-generator to version 1.166.49.
• We recommend you to update npm/@tanstack/router-plugin to version 1.167.42.
• We recommend you to update npm/@tanstack/router-ssr-query-core to version 1.168.7.
• We recommend you to update npm/@tanstack/router-utils to version 1.161.15.
• We recommend you to update npm/@tanstack/router-vite-plugin to version 1.166.57.
• We recommend you to update npm/@tanstack/solid-router to version 1.169.9.
• We recommend you to update npm/@tanstack/solid-router-devtools to version 1.166.20.
• We recommend you to update npm/@tanstack/solid-router-ssr-query to version 1.166.19.
• We recommend you to update npm/@tanstack/solid-start to version 1.167.69.
• We recommend you to update npm/@tanstack/solid-start-client to version 1.166.54.
• We recommend you to update npm/@tanstack/solid-start-server to version 1.166.58.
• We recommend you to update npm/@tanstack/start-client-core to version 1.168.9.
• We recommend you to update npm/@tanstack/start-fn-stubs to version 1.161.13.
• We recommend you to update npm/@tanstack/start-plugin-core to version 1.169.27.
• We recommend you to update npm/@tanstack/start-server-core to version 1.167.37.
• We recommend you to update npm/@tanstack/start-static-server-functions to version 1.166.48.
• We recommend you to update npm/@tanstack/start-storage-context to version 1.166.42.
• We recommend you to update npm/@tanstack/valibot-adapter to version 1.166.16.
• We recommend you to update npm/@tanstack/virtual-file-routes to version 1.161.14.
• We recommend you to update npm/@tanstack/vue-router to version 1.169.9.
• We recommend you to update npm/@tanstack/vue-router-devtools to version 1.166.20.
• We recommend you to update npm/@tanstack/vue-router-ssr-query to version 1.166.19.
• We recommend you to update npm/@tanstack/vue-start to version 1.167.65.
• We recommend you to update npm/@tanstack/vue-start-client to version 1.166.50.
• We recommend you to update npm/@tanstack/vue-start-server to version 1.166.54.
• We recommend you to update npm/@tanstack/zod-adapter to version 1.166.16.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-g7cv-rxg3-hmpx