A critical code injection vulnerability in the popular Node.js binary-parser library exposes applications to arbitrary JavaScript execution.
CERT/CC published Vulnerability Note VU#102648 on January 20, 2026, assigning it CVE-2026-1245.
The flaw affects versions before 2.3.0 and stems from unsafe dynamic code generation. Developers using untrusted input for parser definitions face severe risks, including full process compromise.
binary-parser simplifies parsing binary data in JavaScript with declarative syntax. It powers tools for network protocols, file formats, and embedded systems data.
However, versions under 2.3.0 use JavaScript’s Function constructor to build parser code at runtime.
Attackers exploit this by injecting malicious payloads into field names or encoding parameters.
Technical Breakdown
The vulnerability arises during parser instantiation. Consider this vulnerable code snippet:
const BinaryParser = require('binary-parser').Parser;
const userInput="{"field": ""; require("child_process").exec("rm -rf /"); '"}'; // Attacker-controlled
const parser = new BinaryParser({
field1: { formatter: userInput } // Unsanitized injection point
});Here, userInput breaks out of the string context, executes child_process.exec("rm -rf /"), and closes the object.
The Function constructor evaluates this as executable JavaScript, running with Node.js process privileges.
Key injection vectors include:
- Field names: Directly interpolated into generated code without escaping.
- Encoding parameters: Passed to functions like
utf8StringorasciiString, enabling prototype pollution or eval-like execution. - Nested structures: Recursive parser definitions amplify the attack surface.
No authentication is needed; any untrusted data source suffices, such as HTTP headers, file metadata, or database fields. Static, hardcoded parsers remain safe, as they bypass dynamic generation.
Impact escalates in server environments. Attackers gain shell access, steal sensitive data, or pivot to other systems.
Node.js apps in cloud functions, APIs, or IoT backends amplify the blast radius. CVSS scoring is pending, but CERT rates it critical due to remote code execution potential.
No Indicators of Compromise (IoCs) are available. This prototype pollution-style flaw leaves no network signatures or file artifacts.
Detection relies on behavioral monitoring: watch for anomalous Function constructor usage or unexpected child processes in Node.js runtimes. Tools like Falco or Sysdig can alert on new Function() with dynamic strings.
Mitigation and Response
Upgrade immediately to binary-parser 2.3.0 or later. Maintainer Keichi Takahashi merged pull request #283 on GitHub, adding input sanitization and whitelisting for field names. Key changes:
- Escape special characters in user-supplied strings.
- Reject invalid encoding params.
- Warn on deprecated dynamic features.
Verify via npm:
npm install binary-parser@>=2.3.0
npm auditAudit your codebase for dynamic parsers:
- Grep for
new Parser({with variables. - Replace with safe alternatives like
buffermodule orstructlibraries. - Enforce principle of least privilege: Run Node.js as non-root.
Researchers Maor Caplan reported the issue; Timur Snoke authored the CERT note. Track updates at CERT VU#102648, CVE-2026-1245, npm binary-parser, and GitHub PR #283.
This flaw underscores risks in “declarative” libraries with runtime code gen. Node.js devs should favor typed parsing libs like binary-parser-ts or native Buffers.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.