Critical binary-parser Node.js Vulnerability Enables Malicious Code Injection

The Software Engineering Institute’s CERT Coordination Center has disclosed a critical code injection vulnerability affecting the binary-parser library for Node.js.

Tracked as CVE-2026-1245 and documented under Vulnerability Note VU#102648, the flaw potentially allows arbitrary JavaScript code execution in applications utilizing untrusted input for parser definitions.

Vulnerability Details

The binary-parser library, designed to facilitate writing efficient binary parsers declaratively, contains a dangerous implementation pattern that dynamically generates JavaScript code at runtime using the Function constructor.

Versions before 2.3.0 are affected by this critical weakness. The vulnerability stems from insufficient input validation on user-supplied values, specifically parser field names and encoding parameters that are incorporated directly into generated code without sanitization.

When applications pass untrusted or externally supplied data into these parameters, attackers can inject malicious code that alters the generated JavaScript, enabling execution of attacker-controlled commands.

The severity of this attack vector is particularly concerning for applications processing user-controlled data or external APIs without proper validation mechanisms.

The consequences of exploitation are severe. In vulnerable applications constructing parser definitions using untrusted input, attackers gain the ability to execute arbitrary JavaScript with the full privileges of the Node.js process.

This escalation allows unauthorized access to local data, manipulation of application logic, and potential execution of system-level commands depending on the deployment environment.

Organizations relying on this library should immediately assess whether their implementations use dynamic or static parser definitions.

The vendor has addressed this vulnerability by releasing version 2.3.0, which implements input validation and mitigations for unsafe code generation. Users must upgrade immediately to eliminate exposure.

Additionally, developers should follow secure coding practices by avoiding the incorporation of untrusted or user-controlled values into parser field names or encoding parameters.

Applications utilizing only static, hardcoded parser definitions remain unaffected and do not require urgent patching.

Field	Details
CVE ID	CVE-2026-1245
Affected Library	binary-parser (Node.js)
Affected Versions	< 2.3.0

Organizations should prioritize upgrading affected installations to binary-parser version 2.3.0 or later. Conduct a comprehensive inventory of deployed applications using this library and assess whether they construct parser definitions dynamically.

Implement input validation mechanisms across all user-controlled data flows. Monitor CERT coordination channels and npm security advisories for additional guidance on this and related vulnerabilities affecting popular Node.js packages.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Critical binary-parser Node.js Vulnerability Enables Malicious Code Injection appeared first on Cyber Security News.