EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the npm/piscina package, affecting versions 5.0.0-alpha.0 to 5.1.4, as well as versions 4.9.2 and below, and 6.0.0-rc.1. These vulnerabilities are of the Remote Code Execution (RCE) type, which can allow attackers to execute arbitrary code on the target system, posing a high business risk and potential impact on the organization.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the npm/piscina package, affecting versions 5.0.0-alpha.0 to 5.1.4, as well as versions 4.9.2 and below, and 6.0.0-rc.1. These vulnerabilities are of the Remote Code Execution (RCE) type, which can allow attackers to execute arbitrary code on the target system, posing a high business risk and potential impact on the organization.[emaillocker id="1283"]
CVE-2026-55388 with a CVSS score of 8.1 – This vulnerability is a Prototype Pollution Gadget that can lead to RCE via inherited options.filename, allowing an attacker to execute arbitrary code on the target system by polluting the Object.prototype.filename property, which can be achieved through various means such as exploiting upstream Prototype Pollution vulnerabilities in other packages.
The identified vulnerabilities pose a significant risk to the organization, as they can be exploited to execute arbitrary code on the target system, potentially leading to data breaches, system compromise, and other malicious activities, emphasizing the need for immediate attention to mitigate these risks and prevent potential business consequences.
RECOMMENDATION:
We recommend you to update piscina to version 5.2.0, 4.9.3, or 6.0.0-rc.2.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-x9g3-xrwr-cwfg