TanStack Router Unspecified Vulnerability Exploitation
Detects potential exploitation of CVE-2026-45321, an unspecified vulnerability in TanStack Router that has been added to the CISA Known Exploited Vulnerabilities catalog. TanStack Router is a type-safe routing library for React applications. Given KEV status, active exploitation in the wild is confirmed. Detection focuses on anomalous web application behavior, suspicious client-side routing patterns, unexpected server-side request patterns, and post-exploitation indicators consistent with JavaScript framework exploitation.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- TanStack
- Product
- TanStack
Timeline
- Disclosed
- May 27, 2026
CVSS
What is CVE-2026-45321 TanStack Router Unspecified Vulnerability Exploitation?
TanStack Router Unspecified Vulnerability Exploitation (CVE-2026-45321) maps to the Initial Access and Execution and Reconnaissance tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for TanStack Router Unspecified Vulnerability Exploitation, covering the data sources and telemetry it touches: IIS Logs, Azure App Service Logs, WAF Logs, Azure Security Center. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let timeWindow = 1h;
let suspiciousRoutePatterns = dynamic(['__proto__', 'constructor', 'prototype', '../', '..\\', '%2e%2e', '%252e', 'javascript:', 'data:text']);
let tanstackApps = SecurityAlert
| where TimeGenerated >= ago(timeWindow)
| where AlertName has_any ('TanStack', 'tanstack-router')
| project AlertTime=TimeGenerated, AlertName, Entities;
W3CIISLog
| where TimeGenerated >= ago(timeWindow)
| where csUriStem has_any (suspiciousRoutePatterns) or csUriQuery has_any (suspiciousRoutePatterns)
| extend DecodedUri = url_decode(csUriStem), DecodedQuery = url_decode(csUriQuery)
| where DecodedUri has_any (suspiciousRoutePatterns) or DecodedQuery has_any (suspiciousRoutePatterns)
| summarize RequestCount=count(), UniqueIPs=dcount(cIP), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), SampleURIs=make_set(csUriStem, 5) by cIP, csHost, csUriStem
| where RequestCount > 5 or UniqueIPs > 3
| extend Severity='High', CVE='CVE-2026-45321'
| union (
AppServiceHTTPLogs
| where TimeGenerated >= ago(timeWindow)
| where CsUriStem has_any (suspiciousRoutePatterns) or CsUriQuery has_any (suspiciousRoutePatterns)
| summarize RequestCount=count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by CIp, CsHost, CsUriStem
| extend Severity='High', CVE='CVE-2026-45321'
)Detects suspicious URL patterns targeting TanStack Router applications that may indicate CVE-2026-45321 exploitation, including prototype pollution patterns, path traversal sequences, and anomalous routing requests.
Data Sources
Required Tables
False Positives
- Legitimate security scanners or penetration testing tools probing web applications
- Web crawlers or automated tools that use unusual URL encoding schemes
- Development or staging environments with debug routing enabled
- URL shortener or redirect services that encode special characters
Sigma rule & cross-platform mapping
The detection logic for TanStack Router Unspecified Vulnerability Exploitation (CVE-2026-45321) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
product: azureBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-45321
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1TanStack Router Prototype Pollution Probe
Expected signal: Web server access logs will show GET requests to /__proto__/polluted and query parameters containing __proto__ and constructor.prototype strings. Network flow logs will show connections to port 3000.
- Test 2TanStack Router Path Traversal via Routing Parameters
Expected signal: Web access logs will record requests containing URL-encoded path traversal sequences. WAF or web server logs should show the decoded paths if URL decoding is applied before logging.
- Test 3TanStack Router JavaScript URI Injection Attempt
Expected signal: Web server logs will capture requests containing javascript: and data: URI schemes in query parameters. If the application reflects these values, browser-side CSP violation reports may also be generated.
- Test 4Post-Exploitation Lateral Movement Simulation from Compromised Node.js Process
Expected signal: EDR telemetry will show the Node.js process (or a child process) executing id, whoami, cat, find, and env commands. Process lineage will link these to the web server parent process.
Unlock Pro Content
Get the full detection package for CVE-2026-45321 including response playbook, investigation guide, and atomic red team tests.