Impact
The vulnerability arises in the piscina worker‑pool library, where the constructor and run() functions read the filename option using plain member access. If the caller’s options object lacks a native filename property, the value is resolved via the prototype chain. An attacker can inject a property into Object.prototype, causing the inherited filename to be used when worker_threads.Worker is instantiated. This leads to execution of an attacker‑supplied .mjs file in a worker thread, providing remote code execution capabilities. The weakness corresponds to prototype pollution and dynamic code execution (CWE-1321 and CWE-94).
Affected Systems
The issue affects the piscina library maintained by piscinajs. Versions before 6.0.0-rc.2, 5.2.0, and 4.9.3 are vulnerable; upgrading to any of these patched releases or later eliminates the flaw.
Risk and Exploitability
With a CVSS score of 8.1 the vulnerability is considered high severity. The EPSS score of 0.00296 indicates a very low exploitation probability, and the issue is not listed in the CISA KEV catalog, suggesting no publicly known exploitation at this time. However, a prototype pollution gadget can be introduced through user‑controlled data that reaches the piscina constructor, making the attack vector likely through application input. Successful exploitation would grant the attacker ability to run arbitrary code in the same privilege context as the Node.js process.
OpenCVE Enrichment
Github GHSA