Critical Node.js Binary-Parser Flaw Vulnerability Library

The Node.js binary-parser library contains a critical code-injection vulnerability, impacting all versions before 2.3.0.

The flaw allows attackers to execute arbitrary JavaScript code if untrusted input is used to construct parser definitions, potentially compromising application integrity and system security.

The binary-parser library, designed to facilitate writing efficient binary parsers in a simple, declarative manner, contains a dangerous code-generation flaw.

The library dynamically generates JavaScript code at runtime using the Function constructor.

Critically, user-supplied values, specifically parser field names and encoding parameters, are directly incorporated into the generated code without validation or sanitization.

The vulnerability (CVE-2026-1245) stems from unsafe code generation practices.

When applications pass untrusted or externally supplied data into parser field names or encoding parameters, unsanitized values can alter the generated JavaScript code during runtime.

This manipulation enables the execution of attacker-controlled code with full privileges of the Node.js process. It is important to note that applications using only static, hardcoded parser definitions are not affected by this vulnerability.

The risk exists exclusively when dynamic parser definitions are constructed using external or untrusted input sources.

Successful exploitation could allow attackers to execute arbitrary JavaScript code within the Node.js process context.

Depending on the deployment environment and application privileges, this could facilitate unauthorized access to local data and manipulation of application logic.

Execution of system commands or lateral movement within networked infrastructure. Enterprise applications processing third-party data face heightened risk.

The vendor has released version 2.3.0, which implements input validation and mitigations for unsafe code generation.

According to CERT/CC, immediate action is recommended:

• Upgrade binary-parser to version 2.3.0 or later.
• Audit applications for any use of externally-sourced data in parser definitions

Implement strict input validation for any parser configuration parameters. Avoid passing user-controlled values into parser field names or encoding parameters.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.