A critical code-injection vulnerability has been identified in the Node.js binary-parser library, affecting all versions before 2.3.0.
The flaw allows attackers to execute arbitrary JavaScript code if untrusted input is used to construct parser definitions, potentially compromising application integrity and system security.
The binary-parser library, designed to facilitate writing efficient binary parsers in a simple, declarative manner, contains a dangerous code-generation flaw.
The library dynamically generates JavaScript code at runtime using the Function constructor.
Critically, user-supplied values, specifically parser field names and encoding parameters, are directly incorporated into the generated code without validation or sanitization.
| Field | Value |
|---|---|
| CVE | CVE-2026-1245 |
| Affected Software | binary-parser (versions < 2.3.0) |
| Vulnerability Type | Code Injection |
| Severity | Critical |
The vulnerability (CVE-2026-1245) stems from unsafe code generation practices.
When applications pass untrusted or externally supplied data into parser field names or encoding parameters, unsanitized values can alter the generated JavaScript code during runtime.
This manipulation enables the execution of attacker-controlled code with full privileges of the Node.js process. It is important to note that applications using only static, hardcoded parser definitions are not affected by this vulnerability.
The risk exists exclusively when dynamic parser definitions are constructed using external or untrusted input sources.
Successful exploitation could allow attackers to execute arbitrary JavaScript code within the Node.js process context.
Depending on the deployment environment and application privileges, this could facilitate unauthorized access to local data and manipulation of application logic.
Execution of system commands or lateral movement within networked infrastructure. Enterprise applications processing third-party data face heightened risk.
The vendor has released version 2.3.0, which implements input validation and mitigations for unsafe code generation.
According to CERT/CC, immediate action is recommended:
- Upgrade binary-parser to version 2.3.0 or later.
- Audit applications for any use of externally-sourced data in parser definitions
Implement strict input validation for any parser configuration parameters. Avoid passing user-controlled values into parser field names or encoding parameters.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
