{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/102648#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nThe binary-parser library for Node.js contains a code injection vulnerability that may allow arbitrary JavaScript code execution if untrusted input is used to construct parser definitions. Versions prior to 2.3.0 are affected. The issue has been resolved by the developer in a public update.\r\n\r\n### Description\r\nbinary-parser is a JavaScript library to facilitate writing \"efficient binary parsers in a simple and declarative manner.\"\r\nbinary-parser (versions < 2.3.0) dynamically generates JavaScript code at runtime using the Function constructor. Certain user-supplied values—specifically, parser field names and encoding parameters—are incorporated into this generated code without validation or sanitization.\r\n\r\nIf an application passes untrusted or externally supplied data into these parameters, the unsanitized values can alter the generated code, enabling execution of attacker-controlled JavaScript. Applications that use only static, hardcoded parser definitions are not affected.\r\n\r\nThe vendor has released a [fix](https://github.com/keichi/binary-parser/pull/283) and clarified the library’s design limitations in version 2.3.0.\r\n\r\n### Impact\r\n\r\nIn affected applications that construct parser definitions using untrusted input, an attacker may be able to execute arbitrary JavaScript code with the privileges of the Node.js process. This could allow access to local data, manipulation of application logic, or execution of system commands depending on the deployment environment.\r\n\r\n### Solution\r\n\r\nUsers of the binary-parser library should upgrade to version 2.3.0 or later, where the vendor has implemented input validation and mitigations for unsafe code generation. Developers should avoid passing untrusted or user-controlled values into parser field names or encoding parameters.\r\n\r\n### Acknowledgements\r\n\r\nThanks to the reporter Maor Caplan for identifying the vulnerability and to Keichi Takahashi for implementing the fix.\r\nThis document was written by Timur Snoke.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"The developer created a patch to address this issue, as a result we will indicate that the library is vulnerable without the patch. Hence the affected designation.","title":"CERT/CC comment on binary-parser notes"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/102648"},{"url":"https://github.com/keichi/","summary":"https://github.com/keichi/"},{"url":"https://github.com/keichi/binary-parser/pull/283","summary":"https://github.com/keichi/binary-parser/pull/283"},{"url":"https://www.npmjs.com/package/binary-parser","summary":"https://www.npmjs.com/package/binary-parser"}],"title":"Code injection vulnerability in binary-parser library","tracking":{"current_release_date":"2026-01-21T17:34:32+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#102648","initial_release_date":"2026-01-20 18:51:09.196923+00:00","revision_history":[{"date":"2026-01-21T17:34:32+00:00","number":"1.20260121173432.2","summary":"Released on 2026-01-21T17:34:32+00:00"}],"status":"final","version":"1.20260121173432.2"}},"vulnerabilities":[{"title":"A code injection vulnerability in the binary-parser library prior to version 2.","notes":[{"category":"summary","text":"A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process."}],"cve":"CVE-2026-1245","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#102648"}],"product_status":{"known_affected":["CSAFPID-dabc7802-3656-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"binary-parser","product":{"name":"binary-parser Products","product_id":"CSAFPID-dabc7802-3656-11f1-8422-122e2785dc9f"}}]}}