| Título | Node.js @tanstack/db 0.6.8 Prototype Pollution |
|---|
| Descrição | `@tanstack/db` is vulnerable to prototype pollution through public query APIs.
The root package entry exports `queryOnce`, `createCollection`, and `localOnlyCollectionOptions`. A caller can pass an alias containing prototype-pollution path segments to `select()`, such as `__proto__.tanstackPolluted`.
During query compilation, `src/query/compiler/select.ts` processes select aliases as dot-separated nested paths. The alias is split with `alias.split('.')`, and each segment is used to build nested objects in the query result. Dangerous segments such as `__proto__`, `constructor`, and `prototype` are not filtered. When the first segment is `__proto__`, the write cursor can resolve to `Object.prototype`, causing the next assignment to pollute the global object prototype. |
|---|
| Fonte | ⚠️ https://github.com/TanStack/db/issues/1584 |
|---|
| Utilizador | Dremig (UID 95003) |
|---|
| Submissão | 11/06/2026 05h12 (há 1 mês) |
|---|
| Moderação | 13/07/2026 17h40 (1 month later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 378115 [tanstack db até 0.6.8 Alias Path select.ts select] |
|---|
| Pontos | 20 |
|---|