piscina: Prototype Pollution Gadget → RCE via inherited options.filename

8.1 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run() paths read the filename option via plain member access. Both reads fall through the prototype chain when the caller's options object doesn't have filename as an own property. When Object.prototype.filename is polluted upstream the inherited value flows to worker_threads.Worker import and the attacker's .mjs runs in the worker. This vulnerability is fixed in 6.0.0-rc.2, 5.2.0, and 4.9.3.

Basic Information

ID CVE-2026-55388

Source GitHub_M

Published Jun 22, 2026 at 16:50

Affected Product

Vendor piscinajs

Product piscina

Version < 4.9.3

Affected Versions piscinajs piscina < 4.9.3
piscinajs piscina >= 5.0.0-alpha.0, < 5.2.0
piscinajs piscina >= 6.0.0-rc.1, < 6.0.0-rc.2

CWE Classification

CWE-94 CWE-1321

References

github.com /piscinajs/piscina/security/advisories/GHSA-x9g3-xrwr-cwfg

{
    "lastseen": "",
    "description": "piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run() paths read the filename option via plain member access. Both reads fall through the prototype chain when the caller's options object doesn't have filename as an own property. When Object.prototype.filename is polluted upstream the inherited value flows to worker_threads.Worker import and the attacker's .mjs runs in the worker. This vulnerability is fixed in 6.0.0-rc.2, 5.2.0, and 4.9.3.",
    "published": "2026-06-22T16:50:40.867Z",
    "modified": "2026-06-22T16:50:40.867Z",
    "type": "cve",
    "title": "piscina: Prototype Pollution Gadget \u2192 RCE via inherited options.filename",
    "source": "GitHub_M",
    "references": "https://github.com/piscinajs/piscina/security/advisories/GHSA-x9g3-xrwr-cwfg",
    "id": "CVE-2026-55388",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94",
        "CWE-1321"
    ],
    "cvelist": null,
    "sourceData": "piscinajs piscina < 4.9.3\npiscinajs piscina >= 5.0.0-alpha.0, < 5.2.0\npiscinajs piscina >= 6.0.0-rc.1, < 6.0.0-rc.2",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "piscina",
    "version": "< 4.9.3",
    "vendor": "piscinajs",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

piscina: Prototype Pollution Gadget → RCE via inherited options.filename_CVE-2026-55388