VU#102648: Code injection vulnerability in binary-parser library

Overview

The binary-parser library for Node.js contains a code injection vulnerability that may allow arbitrary JavaScript code execution if untrusted input is used to construct parser definitions. Versions prior to 2.3.0 are affected. The issue has been resolved by the developer in a public update.

Description

binary-parser is a JavaScript library to facilitate writing “efficient binary parsers in a simple and declarative manner.”
binary-parser (versions < 2.3.0) dynamically generates JavaScript code at runtime using the Function constructor. Certain user-supplied values—specifically, parser field names and encoding parameters—are incorporated into this generated code without validation or sanitization.

If an application passes untrusted or externally supplied data into these parameters, the unsanitized values can alter the generated code, enabling execution of attacker-controlled JavaScript. Applications that use only static, hardcoded parser definitions are not affected.

The vendor has released a fix and clarified the library’s design limitations in version 2.3.0.

Impact

In affected applications that construct parser definitions using untrusted input, an attacker may be able to execute arbitrary JavaScript code with the privileges of the Node.js process. This could allow access to local data, manipulation of application logic, or execution of system commands depending on the deployment environment.

Solution

Users of the binary-parser library should upgrade to version 2.3.0 or later, where the vendor has implemented input validation and mitigations for unsafe code generation. Developers should avoid passing untrusted or user-controlled values into parser field names or encoding parameters.

Acknowledgements

Thanks to the reporter Maor Caplan for identifying the vulnerability and to Keichi Takahashi for implementing the fix.
This document was written by Timur Snoke.

Vendor Information

One or more vendors are listed for this advisory. Please reference the full report for more information.

References

Other Information

CVE IDs:	CVE-2026-1245
Date Public:	2026-01-20
Date First Published:	2026-01-20
Date Last Updated:	2026-01-21 17:34 UTC
Document Revision:	2

Source link

What's Hot

Incident: Eagers Automotive says IT outage stems from cyber incident | iTnews

Accelerating Our Footprint and Innovation: Why VulnCheck Posted a Record-Setting Q3 | Blog

CISA Adds One Known Exploited Vulnerability to Catalog

Overview

Description

Impact

Solution

Acknowledgements

Vendor Information

References

Incident: Eagers Automotive says IT outage stems from cyber incident | iTnews

CISA Adds One Known Exploited Vulnerability to Catalog

GitLab security advisory (AV26-327) – Canadian Centre for Cyber Security

Global Takedown of Massive IoT Botnets Halts Record-Breaking Cyberattacks

Catchy & Intriguing

The Grandparent Scam: How AI Voice Technology Makes This Old Con Deadlier Than Ever

Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

Most Popular

Global Takedown of Massive IoT Botnets Halts Record-Breaking Cyberattacks

Catchy & Intriguing

The Grandparent Scam: How AI Voice Technology Makes This Old Con Deadlier Than Ever

Our Picks

Incident: Eagers Automotive says IT outage stems from cyber incident | iTnews

Accelerating Our Footprint and Innovation: Why VulnCheck Posted a Record-Setting Q3 | Blog

CISA Adds One Known Exploited Vulnerability to Catalog

Subscribe to Updates

What's Hot

VU#102648: Code injection vulnerability in binary-parser library

Overview

Description

Impact

Solution

Acknowledgements

Vendor Information

References

Other Information

Related Posts

Subscribe to Updates