SCA: security update for @tanstack/arktype-adapter, @tanstack/eslint-plugin-router, @tanstack/eslint-plugin-start, @tanstack/history, @tanstack/nitro-v2-vite-plugin, @tanstack/react-router, @tanstack/react-router-devtools, @tanstack/react-router-ssr-query, @tanstack/react-start, @tanstack/react-start-client, @tanstack/react-start-rsc, @tanstack/react-start-server, @tanstack/router-cli, @tanstack/router-core, @tanstack/router-devtools, @tanstack/router-devtools-core, @tanstack/router-generator, @tanstack/router-plugin, @tanstack/router-ssr-query-core, @tanstack/router-utils, @tanstack/router-vite-plugin, @tanstack/solid-router, @tanstack/solid-router-devtools, @tanstack/solid-router-ssr-query, @tanstack/solid-start, @tanstack/solid-start-client, @tanstack/solid-start-server, @tanstack/start-client-core, @tanstack/start-fn-stubs, @tanstack/start-plugin-core, @tanstack/start-server-core, @tanstack/start-static-server-functions, @tanstack/start-storage-context, @tanstack/valibot-adapter, @tanstack/virtual-file-routes, @tanstack/vue-router, @tanstack/vue-router-devtools, @tanstack/vue-router-ssr-query, @tanstack/vue-start, @tanstack/vue-start-client, @tanstack/vue-start-server, @tanstack/zod-adapter (GHSA-g7cv-rxg3-hmpx)

critical Tenable Self-Hosted Container Security Plugin ID 441730

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/*
packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub
Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not
modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request"
misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory
extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware
under a trusted identity. Each affected package received exactly two malicious versions, published a few
minutes apart. (CVE-2026-45321)

Solution

Update the @tanstack/react-start-rsc library and its related packages to version 0.0.51 or later.

See Also

https://github.com/advisories/GHSA-g7cv-rxg3-hmpx

Plugin Details

Severity: Critical

ID: 441730

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 5/12/2026

Updated: 6/10/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Critical

Score: 9.3

Percentile: 99.81

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-45321

CVSS v3

Risk Factor: Critical

Base Score: 9.6

Temporal Score: 8.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/12/2026

Vulnerability Publication Date: 5/12/2026

Reference Information

CVE: CVE-2026-45321

cwe: CWE-506