Node.js Worker Pool Implementation Vulnerability in Piscina by PiscinaJS
CVE-2026-55388

8.1HIGH

Key Information:

Vendor: Piscinajs
Status: Piscina
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-55388?

The piscine library, a Node.js worker pool implementation, contains a vulnerability that allows an attacker to exploit the filename property through prototype pollution. Versions prior to 6.0.0-rc.2, 5.2.0, and 4.9.3 are susceptible due to the library's handling of the filename option. If a caller's options object doesn't have filename as its own property, the lookup traverses the prototype chain, potentially leading to execution of malicious code in the worker threads. This issue is addressed in the latest releases.

Affected Version(s)

piscina < 4.9.3 < 4.9.3

piscina >= 5.0.0-alpha.0, < 5.2.0 < 5.0.0-alpha.0, 5.2.0

piscina >= 6.0.0-rc.1, < 6.0.0-rc.2 < 6.0.0-rc.1, 6.0.0-rc.2

References

https://github.com/piscinajs/piscina/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 16, 2026

CVE-2026-55388 Data

JSON

Piscinajs

What is CVE-2026-55388?

Affected Version(s)

References

CVSS V3.1

Timeline