CVE-2026-55388
piscina: Prototype Pollution Gadget โ RCE via inherited options.filename
CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th
piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run() paths read the filename option via plain member access. Both reads fall through the prototype chain when the caller's options object doesn't have filename as an own property. When Object.prototype.filename is polluted upstream the inherited value flows to worker_threads.Worker import and the attacker's .mjs runs in the worker. This vulnerability is fixed in 6.0.0-rc.2, 5.2.0, and 4.9.3.
| CWE | CWE-94 CWE-1321 |
| Vendor | piscinajs |
| Product | piscina |
| Published | Jun 22, 2026 |
Stay Ahead of the Next One
Get instant alerts for piscinajs piscina
Be the first to know when new high vulnerabilities affecting piscinajs piscina are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
piscinajs / piscina
< 4.9.3 >= 5.0.0-alpha.0, < 5.2.0 >= 6.0.0-rc.1, < 6.0.0-rc.2