A security vulnerability has been disclosed in the popular binary parser npm library that could be successfully exploited to execute arbitrary JavaScript.
This vulnerability is tracked as CVE-2026-1245 (CVSS score: N/A) and affects all versions of the module prior to version 2.3.0, which resolves the issue. A patch for this flaw was released on November 26, 2025.
Binary-parser is a widely used parser builder for JavaScript that allows developers to parse binary data. Supports a wide range of common data types such as integers, floating point values, strings, and arrays. This package attracts approximately 13,000 downloads each week.
According to an advisory published by the CERT Coordination Center (CERT/CC), the vulnerability is related to the lack of sanitization of user-specified values such as parser field names and encoding parameters when JavaScript parser code is dynamically generated at runtime using the “Function” constructor.
Note that the npm library constructs the JavaScript source code as a string representing the parsing logic, compiles it using the Function constructor, and caches it as an executable function to parse the buffer efficiently.
However, as a result of CVE-2026-1245, attacker-controlled input can infiltrate generated code without proper validation, allowing the application to parse untrusted data, potentially leading to arbitrary code execution. Applications that use only static, hard-coded parser definitions are not affected by this flaw.
“An affected application that uses untrusted input to construct a parser definition could allow an attacker to execute arbitrary JavaScript code with the privileges of the Node.js process,” CERT/CC said. “Depending on the deployment environment, this could allow access to local data, manipulation of application logic, and execution of system commands.”
Security researcher Maor Caplan is credited with discovering and reporting the vulnerability. Users of binary-parser are encouraged to upgrade to version 2.3.0 and avoid passing user-controlled values to parser field names or encoding parameters.
Source link
