CVE-2026-55388
Received Received - Intake
Prototype Pollution in Piscina Leading to Code Execution

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run() paths read the filename option via plain member access. Both reads fall through the prototype chain when the caller's options object doesn't have filename as an own property. When Object.prototype.filename is polluted upstream the inherited value flows to worker_threads.Worker import and the attacker's .mjs runs in the worker. This vulnerability is fixed in 6.0.0-rc.2, 5.2.0, and 4.9.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-55388
EUVD
EUVD-2026-38320
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
piscina piscina to 6.0.0-rc.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-55388 is a high-severity vulnerability in the piscina Node.js worker pool library that allows Remote Code Execution (RCE) through prototype pollution.

The issue occurs because piscina reads the 'filename' option via plain member access, which means if the caller's options object does not have its own 'filename' property, the code falls back to reading it from the prototype chain.

If an attacker manages to pollute Object.prototype.filename (for example, through upstream prototype pollution vulnerabilities in dependencies like lodash, qs, or minimist), the piscina worker thread will import and execute the attacker's malicious .mjs file.

This leads to the attacker's code running within the worker thread, enabling arbitrary code execution.

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely within the context of the piscina worker thread.

  • Data exfiltration: The attacker can steal sensitive data processed by the application.
  • Response poisoning: The attacker can manipulate the responses returned by the worker.
  • Process manipulation: The attacker can control return values and potentially affect the stability or behavior of the entire process.

The malicious code persists until the process is restarted, making the impact long-lasting during runtime.

Detection Guidance

Detection of this vulnerability involves identifying if your system is running a vulnerable version of the piscina library (versions <= 5.1.4, <= 4.9.2, and <= 6.0.0-rc.1) and checking for signs of prototype pollution affecting Object.prototype.filename.

You can start by verifying the installed version of piscina in your Node.js environment using the following command:

  • npm list piscina

To detect prototype pollution, you may inspect if Object.prototype.filename has been modified unexpectedly. In a Node.js REPL or script, you can run:

  • console.log(Object.prototype.filename)

If this outputs a value other than undefined, it indicates prototype pollution which could be exploited by this vulnerability.

Additionally, monitoring for unexpected execution of .mjs files or unusual worker thread behavior in your application logs may help detect exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade the piscina library to a fixed version where the vulnerability is resolved. Specifically, update to version 6.0.0-rc.2, 5.2.0, or 4.9.3 or later.

If immediate upgrade is not possible, ensure that no upstream dependencies or code paths allow prototype pollution, especially targeting Object.prototype.filename.

Review and sanitize any user-controllable inputs or dependencies that could lead to prototype pollution.

Monitor your application for suspicious worker thread activity or unexpected execution of .mjs files.

Consider applying runtime protections or sandboxing to limit the impact of potential remote code execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55388. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart