GHSA-9m65-766c-r333
TanStack Start - Server Core: Inbound server-function request deserialization could invoke a sibling client-referenced server function
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
@tanstack/start-server-corenpmDescription
Summary
A type-confusion bug in seroval ≤ 1.5.2 (upstream advisory) allowed a crafted JSON body sent to one TanStack Start server function to trigger invocation of a different client-referenced server function as a side effect of deserializing the request payload.
This is not an authentication bypass and not remote code execution. The mechanism only invokes server functions that the same client could already reach directly via /_serverFn/<id>, and the target function's full middleware chain — including any user-supplied authentication, authorization, and inputValidator — runs as it would on a direct call.
Impact
To be exploitable in any meaningful sense, an application would need to expose a client-referenced server function that:
- Performs a privileged side effect, and
- Has no authentication/authorization middleware, and
- Has no input validation
A function meeting all three is already directly callable by any unauthenticated client at its own endpoint, so the practical impact on correctly-written applications is nil. The residual concerns are:
A request to function A could cause function B to also execute, which may surprise observability/audit logging that keys off the request URL.
Request-level middleware (as opposed to per-function middleware) does not re-run for the inner invocation. Server-only functions (isClientReferenced: false) cannot be reached through this mechanism.
Patches
Upgrade to @tanstack/start-server-core ≥ 1.167.30 (or the equivalent dated release of @tanstack/react-start / @tanstack/solid-start). The fix bumps seroval to ≥ 1.5.3 and adds defense-in-depth to the serialization adapter plugin shape so adapter payloads cannot be confused with internal seroval node types.
Workarounds
If you cannot upgrade immediately, ensure every createServerFn(...) exposed to the client has both an .inputValidator(...) and authentication/authorization middleware via .middleware([...]). This is recommended regardless of this advisory.
Credits
- Mufeed VH of Winfunc Research
- Upstream fix coordinated with Seroval maintainers https://github.com/lxsmnsyc/seroval
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | @tanstack/start-server-core | all versions | 1.167.30 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @tanstack/start-server-core. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update @tanstack/start-server-core to 1.167.30 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-9m65-766c-r333 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-9m65-766c-r333 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-9m65-766c-r333. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-9m65-766c-r333 in your dependencies?
O3 detects GHSA-9m65-766c-r333 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.