Intel

AIKIDO-2026-107994

@tanstack/db is vulnerable to Prototype Pollution

Prototype Pollution Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 29, 2026

59

Medium Risk

This Affects:

JS@tanstack/db
0.2.0 - 0.6.10
Fixed in 0.6.11
Are you affected? Scan for Free

TL;DR

The @tanstack/db query select compiler builds result objects by splitting each select() alias on . and walking the segments into a nested object. Alias segments such as __proto__, prototype, or constructor are not filtered, so an alias like __proto__.polluted writes through to Object.prototype and pollutes it for the rest of the process. Any public entry point that compiles a select, such as queryOnce or createLiveQueryCollection, can trigger this when an application uses untrusted input as an alias path. The fix rejects unsafe alias path segments during select compilation with a new UnsafeAliasPathError.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application passes untrusted input as a select() alias path.

Background info

@tanstack/db is vulnerable to Prototype Pollution in versions 0.2.0 - 0.6.10.

How to fix this

Upgrade the @tanstack/db library to the patch version.