Platform
nodejs
Component
binary-parser
Fixed in
2.3.0
2.3.1
2.3.0
CVE-2026-1245 describes a code injection vulnerability discovered in the binary-parser library, affecting versions prior to 2.3.0. This flaw allows attackers to inject and execute arbitrary JavaScript code within the Node.js environment. The vulnerability stems from insufficient sanitization of user-supplied input used in dynamically generated code, posing a significant risk to applications relying on this library. Upgrade to version 2.3.0 to resolve this issue.
The impact of CVE-2026-1245 is severe, as it enables remote code execution (RCE) within the Node.js process. An attacker could exploit this vulnerability by crafting malicious input that is then parsed by the binary-parser library. This crafted input would inject JavaScript code, which would then be executed with the privileges of the Node.js process. This could lead to complete system compromise, data theft, or denial of service. The blast radius extends to any application utilizing the vulnerable binary-parser library, especially those handling untrusted data. This vulnerability shares similarities with other code injection flaws where dynamic code generation is not properly secured.
CVE-2026-1245 was publicly disclosed on 2026-01-20. The vulnerability is not currently listed on the CISA KEV catalog, and its EPSS score is pending evaluation. Public proof-of-concept (PoC) exploits are likely to emerge given the ease of exploitation once the vulnerability became public. Attackers targeting Node.js applications should be aware of this vulnerability.
Exploit Status
EPSS
0.07% (21% percentile)
CVSS Vector
The primary mitigation for CVE-2026-1245 is to upgrade the binary-parser library to version 2.3.0 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on any user-supplied data used in parser field names or encoding parameters. While a direct workaround is difficult without code changes, restricting the allowed characters in these fields can reduce the attack surface. Monitor Node.js processes for unusual JavaScript execution patterns. Consider using a Web Application Firewall (WAF) to filter potentially malicious requests, although this is not a guaranteed solution.
Update the binary-parser library to version 2.3.0 or higher. This will resolve the code injection vulnerability. Run `npm install binary-parser@latest` to update to the latest version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1245 is a code injection vulnerability in the binary-parser library for Node.js, affecting versions before 2.3.0. It allows attackers to execute arbitrary JavaScript code.
You are affected if your Node.js application uses binary-parser version 2.3.0 or earlier. Check your project dependencies with npm list binary-parser.
Upgrade binary-parser to version 2.3.0 or later using npm install binary-parser@latest. Implement input validation as a temporary mitigation.
While no active exploitation has been confirmed, the vulnerability is publicly known and PoCs are likely to emerge, making it a high-priority concern.
Refer to the binary-parser GitHub repository for updates and advisories: [https://github.com/binary-parser/binary-parser](https://github.com/binary-parser/binary-parser)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.