Detect TanStack Router Unspecified Vulnerability Exploitation in Splunk
Detects potential exploitation of CVE-2026-45321, an unspecified vulnerability in TanStack Router that has been added to the CISA Known Exploited Vulnerabilities catalog. TanStack Router is a type-safe routing library for React applications. Given KEV status, active exploitation in the wild is confirmed. Detection focuses on anomalous web application behavior, suspicious client-side routing patterns, unexpected server-side request patterns, and post-exploitation indicators consistent with JavaScript framework exploitation.
MITRE ATT&CK
SPL Detection Query
index=web OR index=iis OR index=apache sourcetype IN ("iis", "apache:access", "nginx:access", "aws:cloudfront:accesslogs")
| eval decoded_uri=urldecode(uri_path), decoded_query=urldecode(uri_query)
| where match(decoded_uri, "(__proto__|constructor\\.prototype|\\.\\./|\\.\\.\\\\\.|\\.\\.\\.|\\.\\.\\/)") OR match(decoded_query, "(__proto__|constructor\\.prototype|javascript:|data:text)")
| eval cve="CVE-2026-45321", app_framework="TanStack"
| stats count AS request_count, dc(src_ip) AS unique_sources, earliest(_time) AS first_seen, latest(_time) AS last_seen, values(uri_path) AS sample_paths BY src_ip, dest, http_user_agent
| where request_count > 3
| eval risk_score=case(request_count > 50, 90, request_count > 20, 75, request_count > 5, 60, true(), 40)
| eval severity=case(risk_score >= 75, "critical", risk_score >= 60, "high", true(), "medium")
| table first_seen, last_seen, src_ip, dest, request_count, unique_sources, risk_score, severity, sample_paths, cve
| sort -risk_scoreSplunk query to detect exploitation attempts against TanStack Router by identifying suspicious URL patterns including prototype pollution, path traversal, and JavaScript injection sequences in web access logs.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Automated security scanners performing web application vulnerability assessments
- Legitimate applications that pass encoded characters in URL parameters
- Content delivery network log entries with pre-encoded URLs from upstream sources
- Search engine crawlers or bots that traverse unusual URL structures
Other platforms for CVE-2026-45321
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1TanStack Router Prototype Pollution Probe
Expected signal: Web server access logs will show GET requests to /__proto__/polluted and query parameters containing __proto__ and constructor.prototype strings. Network flow logs will show connections to port 3000.
- Test 2TanStack Router Path Traversal via Routing Parameters
Expected signal: Web access logs will record requests containing URL-encoded path traversal sequences. WAF or web server logs should show the decoded paths if URL decoding is applied before logging.
- Test 3TanStack Router JavaScript URI Injection Attempt
Expected signal: Web server logs will capture requests containing javascript: and data: URI schemes in query parameters. If the application reflects these values, browser-side CSP violation reports may also be generated.
- Test 4Post-Exploitation Lateral Movement Simulation from Compromised Node.js Process
Expected signal: EDR telemetry will show the Node.js process (or a child process) executing id, whoami, cat, find, and env commands. Process lineage will link these to the web server parent process.
Unlock Pro Content
Get the full detection package for CVE-2026-45321 including response playbook, investigation guide, and atomic red team tests.