CVE-2026-1245: Code Injection Flaw Hits Node.js binary-parser

Developers using the popular binary-parser library for Node.js are being urged to update their dependencies immediately following the disclosure of a dangerous code injection vulnerability. The flaw, tracked as CVE-2026-1245, allows attackers to execute arbitrary JavaScript code on a server if the library is used to process untrusted input dynamically.

The library is a staple for many developers, designed to facilitate writing “efficient binary parsers in a simple and declarative manner”. However, the very mechanism that makes it efficient—dynamic code generation—has proven to be its Achilles’ heel.

The vulnerability stems from how the library builds its parsers under the hood. According to the vulnerability note, “binary-parser (versions < 2.3.0) dynamically generates JavaScript code at runtime using the Function constructor”.

While effective for performance, this approach requires strict hygiene. The report reveals that “certain user-supplied values—specifically, parser field names and encoding parameters—are incorporated into this generated code without validation or sanitization”.

This oversight creates a direct path for attackers. If a developer builds a parser using external input (for example, allowing a user to define the structure of a file being uploaded), “the unsanitized values can alter the generated code, enabling execution of attacker-controlled JavaScript”.

The consequences of exploitation are severe. Because the injected code runs within the application context, an attacker “may be able to execute arbitrary JavaScript code with the privileges of the Node.js process”.

The potential blast radius is wide. A successful exploit “could allow access to local data, manipulation of application logic, or execution of system commands depending on the deployment environment”.

Not every implementation is vulnerable. The advisory clarifies that “applications that use only static, hardcoded parser definitions are not affected”. The risk is limited to scenarios where parser definitions are constructed dynamically using data from untrusted sources.

The vulnerability was identified by security researcher Maor Caplan and has been patched by the library maintainer, Keichi Takahashi.

Users are advised to “upgrade to version 2.3.0 or later,” which includes input validation and mitigations against unsafe code generation. Furthermore, as a best practice, developers are warned to “avoid passing untrusted or user-controlled values into parser field names or encoding parameters”.

Related Posts:

• Node.js Misused in Malvertising Campaigns to Deliver Stealthy Malware
• PyPI Rejects Malicious ZIP Archives to Block “Parser Confusion” Attacks
• Node.js to Issue CVE for End-of-Life Versions
• CVE-2025-54988: Critical XXE Vulnerability in Apache Tika PDF Parser Exposes Sensitive Data