CVE-2026-45321 Elastic Security · Elastic

Detect TanStack Router Unspecified Vulnerability Exploitation in Elastic Security

Detects potential exploitation of CVE-2026-45321, an unspecified vulnerability in TanStack Router that has been added to the CISA Known Exploited Vulnerabilities catalog. TanStack Router is a type-safe routing library for React applications. Given KEV status, active exploitation in the wild is confirmed. Detection focuses on anomalous web application behavior, suspicious client-side routing patterns, unexpected server-side request patterns, and post-exploitation indicators consistent with JavaScript framework exploitation.

MITRE ATT&CK

Tactic
Initial Access Execution Reconnaissance

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.ip with maxspan=5m
  [network where event.category == "network" and network.direction == "inbound"
   and (
     url.path : ("*__proto__*", "*constructor*prototype*", "*%2e%2e*", "*javascript:*")
     or url.query : ("*__proto__*", "*constructor*prototype*", "*data:text*")
   )
  ] with runs=3
high severity medium confidence

EQL sequence query detecting repeated suspicious requests to TanStack Router applications containing prototype pollution or injection payloads from the same source IP within a 5-minute window.

Data Sources

Web Application LogsNetwork Traffic LogsLoad Balancer Logs

Required Tables

logs-*filebeat-*apm-*

False Positives & Tuning

  • Security testing tools generating multiple probe requests
  • Misconfigured applications generating repeated encoded URL requests
  • Load balancers or proxies forwarding pre-encoded URLs from clients

Other platforms for CVE-2026-45321

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1TanStack Router Prototype Pollution Probe

    Expected signal: Web server access logs will show GET requests to /__proto__/polluted and query parameters containing __proto__ and constructor.prototype strings. Network flow logs will show connections to port 3000.

  2. Test 2TanStack Router Path Traversal via Routing Parameters

    Expected signal: Web access logs will record requests containing URL-encoded path traversal sequences. WAF or web server logs should show the decoded paths if URL decoding is applied before logging.

  3. Test 3TanStack Router JavaScript URI Injection Attempt

    Expected signal: Web server logs will capture requests containing javascript: and data: URI schemes in query parameters. If the application reflects these values, browser-side CSP violation reports may also be generated.

  4. Test 4Post-Exploitation Lateral Movement Simulation from Compromised Node.js Process

    Expected signal: EDR telemetry will show the Node.js process (or a child process) executing id, whoami, cat, find, and env commands. Process lineage will link these to the web server parent process.

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-45321 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0043Reconnaissance

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.007JavaScriptT1083File and Directory DiscoveryT1005Data from Local System

Same Tactic: Initial Access

Popular Detections