CVE-2026-15607 in tanstack
Summary
by MITRE • 07/14/2026
A vulnerability was detected in tanstack db up to 0.6.8. Affected by this vulnerability is the function select of the file src/query/compiler/select.ts of the component Alias Path Handler. The manipulation results in improperly controlled modification of object prototype attributes. The attack may be launched remotely. The exploit is now public and may be used. The patch is identified as ac09b1177a100eafa85cba3cd09dd1f53f933ded. A patch should be applied to remediate this issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/14/2026
This vulnerability resides in the tanstack db library version 0.6.8 and earlier, specifically within the Alias Path Handler component's select function located in src/query/compiler/select.ts. The flaw represents a critical prototype pollution vulnerability that allows attackers to manipulate object prototype attributes through improper input validation. The issue manifests when the application processes user-supplied data that gets directly incorporated into object property assignments without adequate sanitization or validation mechanisms.
The technical exploitation occurs through remote manipulation of input parameters that are subsequently processed by the select function, enabling attackers to modify prototype properties of core JavaScript objects. This type of vulnerability falls under CWE-471 which specifically addresses "Modification of Assumed-Immutable Data" and aligns with ATT&CK technique T1590.302 for "Indicator Removal from Tools" as the patch addresses the underlying mechanism that allows such modifications. When successfully exploited, this vulnerability can lead to arbitrary code execution, privilege escalation, or complete system compromise by altering fundamental object behaviors.
The operational impact of this vulnerability is severe as it enables remote code execution through prototype pollution attacks, where malicious actors can inject malicious properties into object prototypes. This allows attackers to manipulate core JavaScript functionality and potentially gain unauthorized access to sensitive data or system resources. The public exploit availability significantly increases the risk profile, making this vulnerability particularly dangerous for applications that process untrusted input through the affected component. Organizations using tanstack db versions prior to 0.6.9 should immediately assess their exposure and implement remediation measures.
The recommended mitigation strategy involves applying the patch identified as ac09b1177a100eafa85cba3cd09dd1f53f933ded which addresses the prototype pollution vulnerability by implementing proper input validation and sanitization within the select function. Additionally, organizations should implement defensive programming practices such as using Object.freeze() or Object.preventExtensions() on critical objects, implementing strict input validation for all user-supplied data, and conducting regular security audits of third-party libraries. The patch effectively prevents the modification of prototype attributes by ensuring that object properties are properly validated before assignment, thereby eliminating the attack vector that enables remote exploitation through the Alias Path Handler component.