A security vulnerability has been disclosed within the well-liked binary-parser npm library that, if efficiently exploited, may outcome within the execution of arbitrary JavaScript.
The vulnerability, tracked as CVE-2026-1245 (CVSS rating: N/A), impacts all variations of the module previous to model 2.3.0, which addresses the difficulty. Patches for the flaw had been launched on November 26, 2025.
Binary-parser is a broadly used parser builder for JavaScript that permits builders to parse binary knowledge. It helps a variety of frequent knowledge sorts, together with integers, floating-point values, strings, and arrays. The bundle attracts roughly 13,000 downloads on a weekly foundation.
Based on an advisory launched by the CERT Coordination Middle (CERT/CC), the vulnerability has to do with a scarcity of sanitization of user-supplied values, equivalent to parser discipline names and encoding parameters, when the JavaScript parser code is dynamically generated at runtime utilizing the “Perform” constructor.
It is price noting that the npm library builds JavaScript supply code as a string that represents the parsing logic and compiles it utilizing the Perform constructor and caches it as an executable perform to parse buffers effectively.
Nevertheless, because of CVE-2026-1245, an attacker-controlled enter may make its approach to the generated code with out sufficient validation, inflicting the applying to parse untrusted knowledge, ensuing within the execution of arbitrary code. Purposes that use solely static, hard-coded parser definitions should not affected by the flaw.
“In affected purposes that assemble parser definitions utilizing untrusted enter, an attacker could possibly execute arbitrary JavaScript code with the privileges of the Node.js course of,” CERT/CC mentioned. “This might enable entry to native knowledge, manipulation of utility logic, or execution of system instructions relying on the deployment setting.”
Safety researcher Maor Caplan has been credited with discovering and reporting the vulnerability. Customers of binary-parser are suggested to improve to model 2.3.0 and keep away from passing user-controlled values into parser discipline names or encoding parameters.
