Binary-parser arbitrary JavaScript execution security flaw (CVE-2026-1245)
Vulnerability
Summary
Hide ▲
Show ▼
binary-parser disclosed CVE-2026-1245, a flaw that can let untrusted parser inputs trigger arbitrary JavaScript execution in affected Node.js applications. The issue affects all versions prior to 2.3.0, with a fixed release already available. Applications that build parser definitions from user-controlled values face the highest risk.
Timeline
-
21.01.2026 08:04 1 articles · 4mo ago
binary-parser 2.3.0 release fixes CVE-2026-1245
Mitigation Patch UpdateBinary-parser 2.3.0 is released to address CVE-2026-1245, fixing a flaw in versions prior to 2.3.0 where unsanitized parser field names and encoding parameters could reach JavaScript generated with the Function constructor and enable arbitrary JavaScript execution in affected Node.js applications.
Show sources
- CERT/CC Warns binary-parser Bug Allows Node.js Privilege-Level Code Execution — thehackernews.com — 21.01.2026 08:04
-
21.01.2026 08:04 2 articles · 4mo ago
CERT/CC discloses CVE-2026-1245 in binary-parser
Initial DisclosureCERT/CC discloses CVE-2026-1245 in the binary-parser npm library, warning that affected applications that construct parser definitions from untrusted input can allow attacker-controlled values to reach dynamically generated JavaScript and execute code with the privileges of the Node.js process.
Show sources
- CERT/CC Warns binary-parser Bug Allows Node.js Privilege-Level Code Execution — thehackernews.com — 21.01.2026 08:04
- CERT/CC Warns binary-parser Bug Allows Node.js Privilege-Level Code Execution — thehackernews.com — 21.01.2026 08:04