search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Code Injection Vulnerability in binary-parser library

Vulnerability Note VU#102648

Original Release Date: 2026-01-20 | Last Revised: 2026-01-20

Overview

The binary-parser library for Node.js contains a code injection vulnerability that may allow arbitrary JavaScript code execution if untrusted input is used to construct parser definitions. Versions prior to 2.3.0 are affected. The issue has been resolved by the developer in a public update.

Description

binary-parser is a JavaScript library to facilitate writing "efficient binary parsers in a simple and declarative manner." binary-parser (versions < 2.3.0) dynamically generates JavaScript code at runtime using the Function constructor. Certain user-supplied values—specifically, parser field names and encoding parameters—are incorporated into this generated code without validation or sanitization.

If an application passes untrusted or externally supplied data into these parameters, the unsanitized values can alter the generated code, enabling execution of attacker-controlled JavaScript. Applications that use only static, hardcoded parser definitions are not affected.

The vendor has released a fix and clarified the library’s design limitations in version 2.3.0.

Impact

In affected applications that construct parser definitions using untrusted input, an attacker may be able to execute arbitrary JavaScript code with the privileges of the Node.js process. This could allow access to local data, manipulation of application logic, or execution of system commands depending on the deployment environment.

Solution

Users of the binary-parser library should upgrade to version 2.3.0 or later, where the vendor has implemented input validation and mitigations for unsafe code generation. Developers should avoid passing untrusted or user-controlled values into parser field names or encoding parameters.

Acknowledgements

Thanks to the reporter Maor Caplan for identifying the vulnerability and to Keichi Takahashi for implementing the fix. This document was written by Timur Snoke.

Vendor Information

102648
 
Expand all

binary-parser Affected

Notified:  2025-12-05 Updated: 2026-01-20

CVE-2026-1245 Affected

Vendor Statement

We have not received a statement from the vendor.

CERT Addendum

The developer created a patch to address this issue, as a result we will indicate that the library is vulnerable without the patch. Hence the affected designation.


References

Other Information

CVE IDs: CVE-2026-1245
API URL: VINCE JSON | CSAF
Date Public: 2026-01-20
Date First Published: 2026-01-20
Date Last Updated: 2026-01-20 18:51 UTC
Document Revision: 1

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis