CERT/CC Warns binary-parser Bug Allows Node.js Privilege-Level Code Execution

Published:

21 januari 2026 om 06:04:00

Alert date:

21 januari 2026 om 07:01:25

Source:

thehackernews.com

Supply Chain & Dependencies, Web Technologies

A security vulnerability tracked as CVE-2026-1245 has been disclosed in the popular binary-parser npm library that could result in arbitrary JavaScript code execution. The vulnerability affects all versions of the module prior to version 2.3.0, which was patched on November 26, 2025. CERT/CC has issued a warning about this bug that allows Node.js privilege-level code execution. The binary-parser is a widely used npm library, making this vulnerability potentially impactful for many Node.js applications. Organizations using affected versions should update to version 2.3.0 or later immediately.

Technical details

The vulnerability exists due to lack of sanitization of user-supplied values, such as parser field names and encoding parameters, when JavaScript parser code is dynamically generated at runtime using the Function constructor. The npm library builds JavaScript source code as a string representing parsing logic and compiles it using the Function constructor, caching it as an executable function. Attacker-controlled input can make its way to the generated code without adequate validation, causing the application to parse untrusted data and resulting in arbitrary code execution. Applications using only static, hard-coded parser definitions are not affected.

Mitigation steps:

Upgrade binary-parser to version 2.3.0 or later. Avoid passing user-controlled values into parser field names or encoding parameters. Applications that use only static, hard-coded parser definitions are not affected by the flaw.

Affected products:

binary-parser npm library (all versions prior to 2.3.0)
Node.js applications using binary-parser with untrusted input