目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CVE-2026-45321— TanStack Query 安全漏洞

CVSS 9.6 · Critical EPSS 0.04% · P13

影响版本矩阵 84

厂商产品版本范围状态
@tanstackarktype-adapter1.166.12affected
1.166.15affected
@tanstackeslint-plugin-router1.161.9affected
1.161.12affected
@tanstackeslint-plugin-start0.0.4affected
0.0.7affected
@tanstackhistory1.161.9affected
1.161.12affected
@tanstacknitro-v2-vite-plugin1.154.12affected
1.154.15affected
@tanstackouter-vite-plugin1.166.53affected
1.166.56affected
@tanstackreact-router1.169.5affected
1.169.8affected
@tanstackreact-router-devtools1.166.16affected
1.166.19affected
@tanstackreact-router-ssr-query1.166.15affected
1.166.18affected
@tanstackreact-start1.167.68affected
1.167.71affected
@tanstackreact-start-client1.166.51affected
1.166.54affected
@tanstackreact-start-rsc0.0.47affected
0.0.50affected
@tanstackreact-start-server1.166.55affected
1.166.58affected
@tanstackrouter-cli1.166.46affected
1.166.49affected
@tanstackrouter-core1.169.5affected
1.169.8affected
@tanstackrouter-devtools1.166.16affected
1.166.19affected
@tanstackrouter-devtools-core1.167.6affected
1.167.9affected
@tanstackrouter-generator1.166.45affected
1.166.48affected
@tanstackrouter-plugin1.167.38affected
1.167.41affected
@tanstackrouter-ssr-query-core1.168.3affected
1.168.6affected
@tanstackrouter-utils1.161.11affected
1.161.14affected
@tanstacksolid-router1.169.5affected
1.169.8affected
@tanstacksolid-router-devtools1.166.16affected
1.166.19affected
@tanstacksolid-router-ssr-query1.166.15affected
1.166.18affected
@tanstacksolid-start1.167.65affected
1.167.68affected
@tanstacksolid-start-client1.166.50affected
1.166.53affected
@tanstacksolid-start-server1.166.54affected
1.166.57affected
@tanstackstart-client-core1.168.5affected
1.168.8affected
@tanstackstart-fn-stubs1.161.9affected
1.161.12affected
@tanstackstart-plugin-core1.169.23affected
1.169.26affected
@tanstackstart-server-core1.167.33affected
1.167.36affected
@tanstackstart-static-server-functions1.166.44affected
1.166.47affected
@tanstackstart-storage-context1.166.38affected
1.166.41affected
@tanstackvalibot-adapter1.166.12affected
1.166.15affected
@tanstackvirtual-file-routes1.161.10affected
1.161.13affected
@tanstackvue-router1.169.5affected
1.169.8affected
@tanstackvue-router-devtools1.166.16affected
1.166.19affected
@tanstackvue-router-ssr-query1.166.15affected
1.166.18affected
@tanstackvue-start1.167.61affected
1.167.64affected
@tanstackvue-start-client1.166.46affected
1.166.49affected
@tanstackvue-start-server1.166.50affected
1.166.53affected
@tanstackzod-adapter1.166.12affected
1.166.15affected
获取后续新漏洞提醒登录后订阅

一、 漏洞 CVE-2026-45321 基础信息

漏洞信息
对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
来源: 美国国家漏洞数据库 NVD
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
内嵌的恶意代码
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
TanStack Query 安全漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
TanStack Query是TanStack开源的一个开源、功能齐全、支持TypeScript 的库。 TanStack Query存在安全漏洞,该漏洞源于攻击者利用pull_request_target配置错误、GitHub Actions缓存投毒和OIDC令牌内存提取,可能导致发布凭据窃取恶意软件。
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD

受影响产品

厂商产品影响版本CPE订阅
@tanstackarktype-adapter 1.166.12 -
@tanstackeslint-plugin-router 1.161.9 -
@tanstackeslint-plugin-start 0.0.4 -
@tanstackhistory 1.161.9 -
@tanstacknitro-v2-vite-plugin 1.154.12 -
@tanstackreact-router 1.169.5 -
@tanstackreact-router-devtools 1.166.16 -
@tanstackreact-router-ssr-query 1.166.15 -
@tanstackreact-start 1.167.68 -
@tanstackreact-start-client 1.166.51 -
@tanstackreact-start-rsc 0.0.47 -
@tanstackreact-start-server 1.166.55 -
@tanstackrouter-cli 1.166.46 -
@tanstackrouter-core 1.169.5 -
@tanstackrouter-devtools 1.166.16 -
@tanstackrouter-devtools-core 1.167.6 -
@tanstackrouter-generator 1.166.45 -
@tanstackrouter-plugin 1.167.38 -
@tanstackrouter-ssr-query-core 1.168.3 -
@tanstackrouter-utils 1.161.11 -
@tanstackouter-vite-plugin 1.166.53 -
@tanstacksolid-router 1.169.5 -
@tanstacksolid-router-devtools 1.166.16 -
@tanstacksolid-router-ssr-query 1.166.15 -
@tanstacksolid-start 1.167.65 -
@tanstacksolid-start-client 1.166.50 -
@tanstacksolid-start-server 1.166.54 -
@tanstackstart-client-core 1.168.5 -
@tanstackstart-fn-stubs 1.161.9 -
@tanstackstart-plugin-core 1.169.23 -
@tanstackstart-server-core 1.167.33 -
@tanstackstart-static-server-functions 1.166.44 -
@tanstackstart-storage-context 1.166.38 -
@tanstackvalibot-adapter 1.166.12 -
@tanstackvirtual-file-routes 1.161.10 -
@tanstackvue-router 1.169.5 -
@tanstackvue-router-devtools 1.166.16 -
@tanstackvue-router-ssr-query 1.166.15 -
@tanstackvue-start 1.167.61 -
@tanstackvue-start-client 1.166.46 -
@tanstackvue-start-server 1.166.50 -
@tanstackzod-adapter 1.166.12 -

二、漏洞 CVE-2026-45321 的公开POC

#POC 描述源链接神龙链接
AI 生成 POC高级
Qwen3.6-35B-A3B · 8512 chars
付费版包含:
漏洞原理深度分析
触发条件与影响面
完整可执行 POC 代码
利用链与缓解建议
POC 打包下载
每月 100+ 条 AI 生成额度

三、漏洞 CVE-2026-45321 的情报信息

登录查看更多情报信息。

IV. Related Vulnerabilities

Same weakness: CWE-506

V. Comments for CVE-2026-45321

暂无评论

发表评论