NVD脆弱性詳細
Exploit、PoC検索
CVE-2026-45321
概要

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.

公表日 2026年5月12日10:16
登録日 2026年5月13日4:11
最終更新日 2026年5月15日2:05
CVSS3.1 : CRITICAL
スコア 9.6
ベクター CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
攻撃元区分(AV) ネットワーク
攻撃条件の複雑さ(AC)
攻撃に必要な特権レベル(PR) 不要
利用者の関与(UI)
影響の想定範囲(S) 変更あり
機密性への影響(C)
完全性への影響(I)
可用性への影響(A)
影響を受けるソフトウェアの構成
構成1 以上 以下 より上 未満
cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.12:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.15:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.9:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.12:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.4:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.7:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/history:1.161.9:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/history:1.161.12:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.12:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.15:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-router:1.169.5:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-router:1.169.8:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.16:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.19:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.15:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.18:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-start:1.167.68:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-start:1.167.71:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.51:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.54:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.47:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.50:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.55:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.58:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.46:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.49:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-core:1.169.5:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-core:1.169.8:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.16:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.19:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.6:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.9:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.45:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.48:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.38:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.41:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.3:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.6:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.11:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.14:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.53:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.56:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.5:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.8:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.16:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.19:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.15:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.18:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.65:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.68:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.50:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.53:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.54:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.57:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.5:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.8:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.9:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.12:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.23:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.26:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.33:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.36:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.44:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.47:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.38:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.41:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.12:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.15:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.10:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.13:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.5:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.8:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.16:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.19:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.15:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.18:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.61:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.64:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.46:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.49:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.50:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.53:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.12:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.15:*:*:*:*:node.js:*:*
関連情報、対策とツール
共通脆弱性一覧