TanStack Unspecified Vulnerability
TanStack contains an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry to publish credential-stealing malware under a trusted identity.
Quick answer
TanStack should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- 1.166.12
- 1.166.15
- 1.161.9
- 1.161.12
- 0.0.4
- 0.0.7
- 1.154.12
- 1.154.15
- 1.169.5
- 1.169.8
- 1.166.16
- 1.166.19
- 1.166.18
- 1.167.68
- 1.167.71
- 1.166.51
- 1.166.54
- 0.0.47
- 0.0.50
- 1.166.55
- 1.166.58
- 1.166.46
- 1.166.49
- 1.167.6
- 1.167.9
- 1.166.45
- 1.166.48
- 1.167.38
- 1.167.41
- 1.168.3
- 1.168.6
- 1.161.11
- 1.161.14
- 1.166.53
- 1.166.56
- 1.167.65
- 1.166.50
- 1.166.57
- 1.168.5
- 1.168.8
- 1.169.23
- 1.169.26
- 1.167.33
- 1.167.36
- 1.166.44
- 1.166.47
- 1.166.38
- 1.166.41
- 1.161.10
- 1.161.13
- 1.167.61
- 1.167.64
- 2.4.6
- 2.2.3
- 2.2.4
- 1.7.2
- 1.7.3
- 1.0.4
- 1.0.5
- 1.0.2
- 1.0.3
- 0.1.2
- 0.1.3
- 0.1.4
- 0.1.5
- 0.1.6
- 0.1.7
- 0.1.8
- 0.1.9
- 0.1.10
- 0.1.11
- 0.1.12
- 0.1.13
- 0.1.14
- 0.1.15
- 0.1.16
- 0.1.17
- 0.1.19
- 1.0.8
- 1.0.9
- 1.0.10
- 1.0.12
- 1.3.3
- 1.3.4
- 1.3.5
- 1.3.7
- 1.0.6
- 0.0.2
- 0.0.3
- 0.0.5
- 0.0.6
- 0.1.24
- 0.1.25
- 0.1.26
- 0.1.27
- 0.1.28
- 0.1.29
- 1.0.1
- 0.2.1
- 0.2.2
- 0.2.3
- 0.1.1
- 0.13.1
- 0.13.2
- 0.24.1
- 0.24.2
- 0.5.1
- 0.5.2
- 0.16.1
- 0.16.2
- 0.8.3
- 0.8.4
- 1.1.3
- 1.1.4
- 1.1.6
- 0.6.2
- 0.6.3
- 0.6.5
- 0.8.1
- 0.8.2
- 0.5.3
- 0.5.4
- 0.5.6
- 0.5.5
- 0.5.7
- 0.4.2
- 0.4.3
- 0.4.5
- 0.6.4
- 0.6.7
- 0.3.2
- 0.3.3
- 0.3.5
- 0.4.4
- 0.4.7
- 0.8.5
- 0.8.7
- 0.9.1
- 0.9.2
- 0.9.4
- 0.3.6
- 0.3.7
- 0.3.9
- 0.7.3
- 0.7.4
- 0.7.6
- 0.4.6
- 0.5.9
- 3.0.1
- 3.0.2
- 3.0.4
- 0.10.1
- 3.6.2
- 0.28.3
- 0.4.22
- 0.3.1
- 0.0.18
- 1.5.7
- 5.9.2
- 4.24.5
- 2.16.2
- 0.0.19
- 0.0.9
- 0.0.16
- 0.0.34
- 1.1.16
- 0.9.5
- 0.0.35
- 1.0.11
- 0.0.12
- 1.2.3
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
Upgrade the affected TanStack package to the fixed release and treat the incident as a software supply-chain exposure. Rebuild from a clean lockfile, clear package caches, and rotate tokens that could have been available to the build or runtime environment.
- Find every project that depends on the affected TanStack package, including apps, examples, CI jobs, and internal templates.
- Upgrade to the fixed package release identified in the GitHub advisory and regenerate lockfiles from a clean dependency graph.
- Delete local, CI, and package-manager caches that may contain the affected artifact.
- Rebuild and redeploy applications from clean CI runners with pinned dependencies.
- Rotate npm, GitHub, CI, cloud, deployment, database, and application secrets that were accessible during builds or runtime.
- Review install scripts, postinstall hooks, bundle output, and repository changes for unexpected code.
- Add dependency review, lockfile integrity checks, and package provenance controls to the release pipeline.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm package-lock, pnpm-lock, yarn.lock, or bun.lock no longer references the affected package version.
- Run npm/pnpm/yarn audit or OSV scanning against the final dependency tree.
- Inspect CI logs for unexpected network calls, script execution, or secret access during the vulnerable window.
- Run the application test suite and smoke tests after rebuilding with the fixed dependency.
- Run a Fixnx scan against the deployed site after redeploying the clean build.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-45321?
TanStack versions listed as affected should be reviewed: 1.166.12, 1.166.15, 1.161.9, 1.161.12, 0.0.4, 0.0.7, 1.154.12, 1.154.15, 1.169.5, 1.169.8, 1.166.16, 1.166.19, 1.166.18, 1.167.68, 1.167.71, 1.166.51, 1.166.54, 0.0.47, 0.0.50, 1.166.55, 1.166.58, 1.166.46, 1.166.49, 1.167.6, 1.167.9, 1.166.45, 1.166.48, 1.167.38, 1.167.41, 1.168.3, 1.168.6, 1.161.11, 1.161.14, 1.166.53, 1.166.56, 1.167.65, 1.166.50, 1.166.57, 1.168.5, 1.168.8, 1.169.23, 1.169.26, 1.167.33, 1.167.36, 1.166.44, 1.166.47, 1.166.38, 1.166.41, 1.161.10, 1.161.13, 1.167.61, 1.167.64, 2.4.6, 2.2.3, 2.2.4, 1.7.2, 1.7.3, 1.0.4, 1.0.5, 1.0.2, 1.0.3, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.19, 1.0.8, 1.0.9, 1.0.10, 1.0.12, 1.3.3, 1.3.4, 1.3.5, 1.3.7, 1.0.6, 0.0.2, 0.0.3, 0.0.5, 0.0.6, 0.1.24, 0.1.25, 0.1.26, 0.1.27, 0.1.28, 0.1.29, 1.0.1, 0.2.1, 0.2.2, 0.2.3, 0.1.1, 0.13.1, 0.13.2, 0.24.1, 0.24.2, 0.5.1, 0.5.2, 0.16.1, 0.16.2, 0.8.3, 0.8.4, 1.1.3, 1.1.4, 1.1.6, 0.6.2, 0.6.3, 0.6.5, 0.8.1, 0.8.2, 0.5.3, 0.5.4, 0.5.6, 0.5.5, 0.5.7, 0.4.2, 0.4.3, 0.4.5, 0.6.4, 0.6.7, 0.3.2, 0.3.3, 0.3.5, 0.4.4, 0.4.7, 0.8.5, 0.8.7, 0.9.1, 0.9.2, 0.9.4, 0.3.6, 0.3.7, 0.3.9, 0.7.3, 0.7.4, 0.7.6, 0.4.6, 0.5.9, 3.0.1, 3.0.2, 3.0.4, 0.10.1, 3.6.2, 0.28.3, 0.4.22, 0.3.1, 0.0.18, 1.5.7, 5.9.2, 4.24.5, 2.16.2, 0.0.19, 0.0.9, 0.0.16, 0.0.34, 1.1.16, 0.9.5, 0.0.35, 1.0.11, 0.0.12, 1.2.3.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
