piscina: Prototype Pollution Gadget → RCE via inherited options.filename
piscina's constructor and run() paths read the filename option via plain member access: // dist/index.js line 92 (constructor) const filename = options.filename ? (0, common_1.maybeFileURLToPath)(options.filename) : null; this.options = { …kDefaultOptions, …options, filename, maxQueue: 0 }; // dist/index.js line 616 (run()) run(task, options = kDefaultRunOptions) { if (options === null || typeof options !== 'object') { return Promise.reject(new TypeError('options must be an object')); } const { transferList, filename, name, signal …