CVE-2026-55388
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk21th percentile — higher than 21% of all known CVEs
Summary
In the piscina library, prior to versions 6.0.0-rc.2, 5.2.0, and 4.9.3, there was a vulnerability related to reading the filename option, which could lead to the execution of malicious code in worker threads.
Risk Assessment
An attacker could exploit a polluted Object.prototype to inject malicious code into the worker environment, posing a serious security threat to the application.
Recommendation
It is recommended to update the piscina library to versions 6.0.0-rc.2, 5.2.0, or 4.9.3 to mitigate this vulnerability.
Original NVD description (English source)
piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run() paths read the filename option via plain member access. Both reads fall through the prototype chain when the caller's options object doesn't have filename as an own property. When Object.prototype.filename is polluted upstream the inherited value flows to worker_threads.Worker import and the attacker's .mjs runs in the worker. This vulnerability is fixed in 6.0.0-rc.2, 5.2.0, and 4.9.3.

