A vital code-injection vulnerability has been recognized within the Node.js binary-parser library, affecting all variations earlier than 2.3.0.
The flaw permits attackers to execute arbitrary JavaScript code if untrusted enter is used to assemble parser definitions, probably compromising software integrity and system safety.
The binary-parser library, designed to facilitate writing environment friendly binary parsers in a easy, declarative method, comprises a harmful code-generation flaw.
The library dynamically generates JavaScript code at runtime utilizing the Operate constructor.
Critically, user-supplied values, particularly parser subject names and encoding parameters, are straight included into the generated code with out validation or sanitization.
FieldValueCVECVE-2026-1245Affected Softwarebinary-parser (variations < 2.3.0)Vulnerability TypeCode InjectionSeverityCritical
The vulnerability (CVE-2026-1245) stems from unsafe code technology practices.
When purposes move untrusted or externally equipped information into parser subject names or encoding parameters, unsanitized values can alter the generated JavaScript code throughout runtime.
This manipulation permits the execution of attacker-controlled code with full privileges of the Node.js course of. You will need to be aware that purposes utilizing solely static, hardcoded parser definitions should not affected by this vulnerability.
The chance exists completely when dynamic parser definitions are constructed utilizing exterior or untrusted enter sources.
Profitable exploitation may permit attackers to execute arbitrary JavaScript code inside the Node.js course of context.
Relying on the deployment surroundings and software privileges, this might facilitate unauthorized entry to native information and manipulation of software logic.
Execution of system instructions or lateral motion inside networked infrastructure. Enterprise purposes processing third-party information face heightened threat.
The seller has launched model 2.3.0, which implements enter validation and mitigations for unsafe code technology.
In line with CERT/CC, rapid motion is really useful:
Improve binary-parser to model 2.3.0 or later.
Audit purposes for any use of externally-sourced information in parser definitions
Implement strict enter validation for any parser configuration parameters. Keep away from passing user-controlled values into parser subject names or encoding parameters.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
