CVE Catalog

CVE-2026-55388

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

21th percentile — higher than 21% of all known CVEs

Summary

In the piscina library, prior to versions 6.0.0-rc.2, 5.2.0, and 4.9.3, there was a vulnerability related to reading the filename option, which could lead to the execution of malicious code in worker threads.

Risk Assessment

An attacker could exploit a polluted Object.prototype to inject malicious code into the worker environment, posing a serious security threat to the application.

Recommendation

It is recommended to update the piscina library to versions 6.0.0-rc.2, 5.2.0, or 4.9.3 to mitigate this vulnerability.

Original NVD description (English source)

piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run() paths read the filename option via plain member access. Both reads fall through the prototype chain when the caller's options object doesn't have filename as an own property. When Object.prototype.filename is polluted upstream the inherited value flows to worker_threads.Worker import and the attacker's .mjs runs in the worker. This vulnerability is fixed in 6.0.0-rc.2, 5.2.0, and 4.9.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS