Full Report
A security vulnerability has been disclosed in the popular binary-parser npm library that, if successfully exploited, could result in the execution of arbitrary JavaScript. The vulnerability, tracked as CVE-2026-1245 (CVSS score: N/A), affects all versions of the module prior to version 2.3.0, which addresses the issue. Patches for the flaw were released on November 26, 2025. Binary-parser is a
Analysis Summary
# Vulnerability: Arbitrary JavaScript Execution in binary-parser npm Library
## CVE Details
- CVE ID: CVE-2026-1245
- CVSS Score: N/A (Severity not specified in source)
- CWE: CWE-94 (Improper Control of Generation of Code ('Code Injection')) - *Inferred from technical details concerning "lack of sanitization" leading to arbitrary code execution.*
## Affected Systems
- Products: binary-parser npm library
- Versions: All versions prior to 2.3.0
- Configurations: Applications that construct parser definitions using untrusted, user-supplied input for parser field names or encoding parameters. Applications using only static, hard-coded parser definitions are not affected.
## Vulnerability Description
The vulnerability stems from a lack of proper sanitization of user-supplied values (such as parser field names and encoding parameters) when the library dynamically generates JavaScript parsing code at runtime using the `Function` constructor. An attacker-controlled input can reach the dynamically generated code without adequate validation, leading to the execution of arbitrary JavaScript code with the privileges of the Node.js process.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but PoC knowledge is implied by the advisory details.
- Complexity: Likely **Medium** (Requires the application to dynamically build parsers from untrusted input).
- Attack Vector: **Network** (via input that gets parsed)
## Impact
- Confidentiality: Potential for **High** impact (Access to local data).
- Integrity: Potential for **High** impact (Manipulation of application logic).
- Availability: Potential for **High** impact (Execution of system commands leading to service disruption).
## Remediation
### Patches
- The issue is addressed in version **2.3.0**.
- Patches were released on November 26, 2025.
### Workarounds
- Avoid passing user-controlled or untrusted values into parser field names or encoding parameters when building parser definitions dynamically.
- Ensure that any input used to construct parser definitions is strictly validated or hard-coded (static definition).
## Detection
- **Indicators of Compromise:** Unexpected system calls, file access, or application logic changes originating from Node.js processes utilizing the `binary-parser` library, particularly if unusual parsing definitions are loaded.
- **Detection Methods and Tools:** Monitoring runtime environments for dynamic code compilation using sensitive user input passed into Node.js `Function` constructors within the `binary-parser` routines.
## References
- Vendor advisory (CERT/CC): https://kb.cert.org/vuls/id/102648
- Library fix Pull Request: https://github.com/keichi/binary-parser/pull/283
- Product Page: https://www.npmjs.com/package/binary-parser
- GitHub Repository: https://github.com/keichi/binary-parser