@tanstack/db is vulnerable to Prototype Pollution
59
Medium Risk
The @tanstack/db query select compiler builds result objects by splitting each select() alias on . and walking the segments into a nested object. Alias segments such as __proto__, prototype, or constructor are not filtered, so an alias like __proto__.polluted writes through to Object.prototype and pollutes it for the rest of the process. Any public entry point that compiles a select, such as queryOnce or createLiveQueryCollection, can trigger this when an application uses untrusted input as an alias path. The fix rejects unsafe alias path segments during select compilation with a new UnsafeAliasPathError.
You are affected if you are using a version that falls within the vulnerable range and your application passes untrusted input as a select() alias path.
@tanstack/db is vulnerable to Prototype Pollution in versions 0.2.0 - 0.6.10.
Upgrade the @tanstack/db library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant