Sign in Sign up
JA · EN · FR
SecPulse
← Back
CVE-2026-45321 CISA KEV critical CVSS 9.6

[KEV] Vulnerability in @tanstack/arktype-adapter (CVE-2026-45321)

Summary

vulnerability in @tanstack/arktype-adapter (CVE-2026-45321). Successful exploitation can lead to full system takeover. Exploitable via ``pull_request_target``. Listed in CISA KEV — actively exploited. Mitigation: upgrade to `1.166.16` or later.

AI summary snake-internal / snake-material-v2

A vulnerability tracked as **CVE-2026-45321** has been found in @tanstack/arktype-adapter. Attackers can target a specific entry point like ``pull_request_target`` over the network to misuse the product. Successful exploitation can lead to full system takeover. CVSS score: 9.6/10. Note: CISA has officially confirmed this is **actively exploited in the wild**. Treat it with elevated urgency. What to do: upgrade @tanstack/arktype-adapter to **1.166.16** or later. If unsure, ask your IT team or search "@tanstack/arktype-adapter CVE-2026-45321" on the vendor's site.
CVE-2026-45321 (@tanstack/arktype-adapter) — CWE-506 / CVSS v3 9.6 Attack vector: remote (network-reachable) / unauthenticated Attack surface: `pull_request_target` / `router_init.js` / `filev2.getsession.org` / `optionalDependencies` Patched: `1.166.16` — apply immediately Listed in CISA KEV — actively exploited, treat as top priority. Plan: 1) Audit SBOM/dependencies, 2) Stage→prod upgrade, 3) Add WAF/proxy monitoring on affected endpoints, 4) Hunt IOCs in logs. Refs: see the GHSA / vendor advisory / patched release linked on this page.
❓ What is the problem
**A vulnerability** (CWE-506) exists in @tanstack/arktype-adapter. Attackers reach the vulnerable code path via ``pull_request_target`` without authentication.
📍 Affected scope
@tanstack/arktype-adapter — . Attack surface: `pull_request_target` / `router_init.js` / `filev2.getsession.org` / `optionalDependencies`.
🔥 Severity
Severity: Critical (CVSS 9.6/10). Successful exploitation can lead to full system takeover **Listed in CISA KEV** — actively exploited in the wild, treat as top priority.
🔧 How to fix
Update to **1.166.16**.
🛡️ Workaround
Until the patch is applied: disable the affected feature, apply WAF rules, or restrict access via network ACLs.
🔍 Detection
Search webserver/proxy logs for unusual request patterns matching this CVE's known IOCs. Run `grep -r '@tanstack/arktype-adapter' .` against your dependency files (package-lock.json, requirements.txt, go.sum) to find affected services.

Response Actions (7 steps)

Concrete steps and command examples for SOC/SRE teams to execute in order

  1. 1
    Identify exposure identify 
    grep -r '@tanstack/arktype-adapter' . | grep -v node_modules

    リポジトリと本番環境の依存ファイル (package-lock.json / requirements.txt / go.sum / Gemfile.lock 等) で `@tanstack/arktype-adapter` を grep し、稼働しているサービス・バージョンを把握する。

  2. 4
    Consider incident declaration escalate 
    Notify SOC / on-call

    CISA KEV登録済 = 実環境で悪用が観測されている。Step 3 で兆候があればインシデント対応宣言、無くてもパッチ適用までWAF強化を最優先で。

  3. 6
    Apply patch patch 
    Upgrade @tanstack/arktype-adapter to 1.166.16

    ステージング環境で 1.166.16 に上げて回帰テスト → 本番反映。回帰テストはアプリの主要ハッピーパスと、Step 3 で見つけた異常検知の続報チェックを含めること。

  4. 7
    Post-deployment verification verify 
    Confirm patched version is live in production

    パッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。

Affected packages

npm @tanstack/arktype-adapter
[{"type":"SEMVER","events":[{"introduced":"1.166.15"},{"fixed":"1.166.16"}]}]
npm @tanstack/eslint-plugin-router
[{"type":"SEMVER","events":[{"introduced":"1.161.12"},{"fixed":"1.161.13"}]}]
npm @tanstack/eslint-plugin-start
[{"type":"SEMVER","events":[{"introduced":"0.0.7"},{"fixed":"0.0.8"}]}]
npm @tanstack/history
[{"type":"SEMVER","events":[{"introduced":"1.161.12"},{"fixed":"1.161.13"}]}]
npm @tanstack/nitro-v2-vite-plugin
[{"type":"SEMVER","events":[{"introduced":"1.154.15"},{"fixed":"1.154.16"}]}]
npm @tanstack/react-router
[{"type":"SEMVER","events":[{"introduced":"1.169.8"},{"fixed":"1.169.9"}]}]
npm @tanstack/react-router-devtools
[{"type":"SEMVER","events":[{"introduced":"1.166.19"},{"fixed":"1.166.20"}]}]
npm @tanstack/react-router-ssr-query
[{"type":"SEMVER","events":[{"introduced":"1.166.18"},{"fixed":"1.166.19"}]}]
npm @tanstack/react-start
[{"type":"SEMVER","events":[{"introduced":"1.167.71"},{"fixed":"1.167.72"}]}]
npm @tanstack/react-start-client
[{"type":"SEMVER","events":[{"introduced":"1.166.54"},{"fixed":"1.166.55"}]}]
npm @tanstack/react-start-rsc
[{"type":"SEMVER","events":[{"introduced":"0.0.50"},{"fixed":"0.0.51"}]}]
npm @tanstack/react-start-server
[{"type":"SEMVER","events":[{"introduced":"1.166.58"},{"fixed":"1.166.59"}]}]
npm @tanstack/router-cli
[{"type":"SEMVER","events":[{"introduced":"1.166.49"},{"fixed":"1.166.50"}]}]
npm @tanstack/router-core
[{"type":"SEMVER","events":[{"introduced":"1.169.8"},{"fixed":"1.169.9"}]}]
npm @tanstack/router-devtools
[{"type":"SEMVER","events":[{"introduced":"1.166.19"},{"fixed":"1.166.20"}]}]
npm @tanstack/router-devtools-core
[{"type":"SEMVER","events":[{"introduced":"1.167.9"},{"fixed":"1.167.10"}]}]
npm @tanstack/router-generator
[{"type":"SEMVER","events":[{"introduced":"1.166.48"},{"fixed":"1.166.49"}]}]
npm @tanstack/router-plugin
[{"type":"SEMVER","events":[{"introduced":"1.167.41"},{"fixed":"1.167.42"}]}]
npm @tanstack/router-ssr-query-core
[{"type":"SEMVER","events":[{"introduced":"1.168.6"},{"fixed":"1.168.7"}]}]
npm @tanstack/router-utils
[{"type":"SEMVER","events":[{"introduced":"1.161.14"},{"fixed":"1.161.15"}]}]
npm @tanstack/router-vite-plugin
[{"type":"SEMVER","events":[{"introduced":"1.166.56"},{"fixed":"1.166.57"}]}]
npm @tanstack/solid-router
[{"type":"SEMVER","events":[{"introduced":"1.169.8"},{"fixed":"1.169.9"}]}]
npm @tanstack/solid-router-devtools
[{"type":"SEMVER","events":[{"introduced":"1.166.19"},{"fixed":"1.166.20"}]}]
npm @tanstack/solid-router-ssr-query
[{"type":"SEMVER","events":[{"introduced":"1.166.18"},{"fixed":"1.166.19"}]}]
npm @tanstack/solid-start
[{"type":"SEMVER","events":[{"introduced":"1.167.68"},{"fixed":"1.167.69"}]}]
npm @tanstack/solid-start-client
[{"type":"SEMVER","events":[{"introduced":"1.166.53"},{"fixed":"1.166.54"}]}]
npm @tanstack/solid-start-server
[{"type":"SEMVER","events":[{"introduced":"1.166.57"},{"fixed":"1.166.58"}]}]
npm @tanstack/start-client-core
[{"type":"SEMVER","events":[{"introduced":"1.168.8"},{"fixed":"1.168.9"}]}]
npm @tanstack/start-fn-stubs
[{"type":"SEMVER","events":[{"introduced":"1.161.12"},{"fixed":"1.161.13"}]}]
npm @tanstack/start-plugin-core
[{"type":"SEMVER","events":[{"introduced":"1.169.26"},{"fixed":"1.169.27"}]}]
npm @tanstack/start-server-core
[{"type":"SEMVER","events":[{"introduced":"1.167.36"},{"fixed":"1.167.37"}]}]
npm @tanstack/start-static-server-functions
[{"type":"SEMVER","events":[{"introduced":"1.166.47"},{"fixed":"1.166.48"}]}]
npm @tanstack/start-storage-context
[{"type":"SEMVER","events":[{"introduced":"1.166.41"},{"fixed":"1.166.42"}]}]
npm @tanstack/valibot-adapter
[{"type":"SEMVER","events":[{"introduced":"1.166.15"},{"fixed":"1.166.16"}]}]
npm @tanstack/virtual-file-routes
[{"type":"SEMVER","events":[{"introduced":"1.161.13"},{"fixed":"1.161.14"}]}]
npm @tanstack/vue-router
[{"type":"SEMVER","events":[{"introduced":"1.169.8"},{"fixed":"1.169.9"}]}]
npm @tanstack/vue-router-devtools
[{"type":"SEMVER","events":[{"introduced":"1.166.19"},{"fixed":"1.166.20"}]}]
npm @tanstack/vue-router-ssr-query
[{"type":"SEMVER","events":[{"introduced":"1.166.18"},{"fixed":"1.166.19"}]}]
npm @tanstack/vue-start
[{"type":"SEMVER","events":[{"introduced":"1.167.64"},{"fixed":"1.167.65"}]}]
npm @tanstack/vue-start-client
[{"type":"SEMVER","events":[{"introduced":"1.166.49"},{"fixed":"1.166.50"}]}]
npm @tanstack/vue-start-server
[{"type":"SEMVER","events":[{"introduced":"1.166.53"},{"fixed":"1.166.54"}]}]
npm @tanstack/zod-adapter
[{"type":"SEMVER","events":[{"introduced":"1.166.15"},{"fixed":"1.166.16"}]}]

References

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →