Ravie LakshmananJan 21, 2026Open Supply / Vulnerability
A safety vulnerability has been disclosed within the well-liked binary-parser npm library that, if efficiently exploited, may end result within the execution of arbitrary JavaScript.
The vulnerability, tracked as CVE-2026-1245 (CVSS rating: N/A), impacts all variations of the module previous to model 2.3.0, which addresses the problem. Patches for the flaw have been launched on November 26, 2025.
Binary-parser is a extensively used parser builder for JavaScript that permits builders to parse binary information. It helps a variety of widespread information varieties, together with integers, floating-point values, strings, and arrays. The bundle attracts roughly 13,000 downloads on a weekly foundation.
In response to an advisory launched by the CERT Coordination Middle (CERT/CC), the vulnerability has to do with a scarcity of sanitization of user-supplied values, corresponding to parser area names and encoding parameters, when the JavaScript parser code is dynamically generated at runtime utilizing the “Perform” constructor.
It is price noting that the npm library builds JavaScript supply code as a string that represents the parsing logic and compiles it utilizing the Perform constructor and caches it as an executable perform to parse buffers effectively.
Nonetheless, on account of CVE-2026-1245, an attacker-controlled enter may make its solution to the generated code with out sufficient validation, inflicting the applying to parse untrusted information, ensuing within the execution of arbitrary code. Purposes that use solely static, hard-coded parser definitions are usually not affected by the flaw.
“In affected functions that assemble parser definitions utilizing untrusted enter, an attacker could possibly execute arbitrary JavaScript code with the privileges of the Node.js course of,” CERT/CC stated. “This might permit entry to native information, manipulation of software logic, or execution of system instructions relying on the deployment surroundings.”
Safety researcher Maor Caplan has been credited with discovering and reporting the vulnerability. Customers of binary-parser are suggested to improve to model 2.3.0 and keep away from passing user-controlled values into parser area names or encoding parameters.
