Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
1 vulnerability by piscinajs
CVE-2026-55388 (GCVE-0-2026-55388)
Vulnerability from cvelistv5 – Published: 2026-06-22 16:50 – Updated: 2026-06-22 16:50
VLAI
Title
piscina: Prototype Pollution Gadget → RCE via inherited options.filename
Summary
piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run() paths read the filename option via plain member access. Both reads fall through the prototype chain when the caller's options object doesn't have filename as an own property. When Object.prototype.filename is polluted upstream the inherited value flows to worker_threads.Worker import and the attacker's .mjs runs in the worker. This vulnerability is fixed in 6.0.0-rc.2, 5.2.0, and 4.9.3.
Severity
8.1 (High)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/piscinajs/piscina/security/adv… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "piscina",
"vendor": "piscinajs",
"versions": [
{
"status": "affected",
"version": "\u003c 4.9.3"
},
{
"status": "affected",
"version": "\u003e= 5.0.0-alpha.0, \u003c 5.2.0"
},
{
"status": "affected",
"version": "\u003e= 6.0.0-rc.1, \u003c 6.0.0-rc.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina\u0027s constructor and run() paths read the filename option via plain member access. Both reads fall through the prototype chain when the caller\u0027s options object doesn\u0027t have filename as an own property. When Object.prototype.filename is polluted upstream the inherited value flows to worker_threads.Worker import and the attacker\u0027s .mjs runs in the worker. This vulnerability is fixed in 6.0.0-rc.2, 5.2.0, and 4.9.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:50:40.867Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/piscinajs/piscina/security/advisories/GHSA-x9g3-xrwr-cwfg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/piscinajs/piscina/security/advisories/GHSA-x9g3-xrwr-cwfg"
}
],
"source": {
"advisory": "GHSA-x9g3-xrwr-cwfg",
"discovery": "UNKNOWN"
},
"title": "piscina: Prototype Pollution Gadget \u2192 RCE via inherited options.filename"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55388",
"datePublished": "2026-06-22T16:50:40.867Z",
"dateReserved": "2026-06-16T18:57:40.183Z",
"dateUpdated": "2026-06-22T16:50:40.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}