Description
piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run() paths read the filename option via plain member access. Both reads fall through the prototype chain when the caller's options object doesn't have filename as an own property. When Object.prototype.filename is polluted upstream the inherited value flows to worker_threads.Worker import and the attacker's .mjs runs in the worker. This vulnerability is fixed in 6.0.0-rc.2, 5.2.0, and 4.9.3.
Published: 2026-06-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in the piscina worker‑pool library, where the constructor and run() functions read the filename option using plain member access. If the caller’s options object lacks a native filename property, the value is resolved via the prototype chain. An attacker can inject a property into Object.prototype, causing the inherited filename to be used when worker_threads.Worker is instantiated. This leads to execution of an attacker‑supplied .mjs file in a worker thread, providing remote code execution capabilities. The weakness corresponds to prototype pollution and dynamic code execution (CWE-1321 and CWE-94).

Affected Systems

The issue affects the piscina library maintained by piscinajs. Versions before 6.0.0-rc.2, 5.2.0, and 4.9.3 are vulnerable; upgrading to any of these patched releases or later eliminates the flaw.

Risk and Exploitability

With a CVSS score of 8.1 the vulnerability is considered high severity. The EPSS score of 0.00296 indicates a very low exploitation probability, and the issue is not listed in the CISA KEV catalog, suggesting no publicly known exploitation at this time. However, a prototype pollution gadget can be introduced through user‑controlled data that reaches the piscina constructor, making the attack vector likely through application input. Successful exploitation would grant the attacker ability to run arbitrary code in the same privilege context as the Node.js process.

Generated by OpenCVE AI on June 26, 2026 at 04:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade piscina to a version that is patched (6.0.0-rc.2, 5.2.0 or 4.9.3 and later).
  • If an upgrade is not immediately possible, review the code paths that provide options objects to piscina, ensuring that no Object.prototype properties can be polluted by validating or sanitizing input before it reaches piscina.
  • Add a runtime check in the application that rejects options objects lacking its own "filename" property or that contain an inherited "filename" entry before invoking piscina.

Generated by OpenCVE AI on June 26, 2026 at 04:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x9g3-xrwr-cwfg piscina: Prototype Pollution Gadget → RCE via inherited options.filename
History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
References
Metrics threat_severity

None

threat_severity

Important


Wed, 24 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Piscinajs
Piscinajs piscina
Vendors & Products Piscinajs
Piscinajs piscina

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run() paths read the filename option via plain member access. Both reads fall through the prototype chain when the caller's options object doesn't have filename as an own property. When Object.prototype.filename is polluted upstream the inherited value flows to worker_threads.Worker import and the attacker's .mjs runs in the worker. This vulnerability is fixed in 6.0.0-rc.2, 5.2.0, and 4.9.3.
Title piscina: Prototype Pollution Gadget → RCE via inherited options.filename
Weaknesses CWE-1321
CWE-94
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Piscinajs Piscina
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T15:51:04.171Z

Reserved: 2026-06-16T18:57:40.183Z

Link: CVE-2026-55388

cve-icon Vulnrichment

Updated: 2026-06-23T15:49:54.520Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-22T16:50:40Z

Links: CVE-2026-55388 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T04:15:11Z

Weaknesses
  • CWE-1321

    Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • CWE-915

    Improperly Controlled Modification of Dynamically-Determined Object Attributes

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')