Plateforme
nodejs
Composant
binary-parser
Corrigé dans
2.3.0
2.3.1
2.3.0
CVE-2026-1245 describes a code injection vulnerability discovered in the binary-parser library, affecting versions prior to 2.3.0. This flaw allows attackers to inject and execute arbitrary JavaScript code within the Node.js environment. The vulnerability stems from insufficient sanitization of user-supplied input used in dynamically generated code, posing a significant risk to applications relying on this library. Upgrade to version 2.3.0 to resolve this issue.
The impact of CVE-2026-1245 is severe, as it enables remote code execution (RCE) within the Node.js process. An attacker could exploit this vulnerability by crafting malicious input that is then parsed by the binary-parser library. This crafted input would inject JavaScript code, which would then be executed with the privileges of the Node.js process. This could lead to complete system compromise, data theft, or denial of service. The blast radius extends to any application utilizing the vulnerable binary-parser library, especially those handling untrusted data. This vulnerability shares similarities with other code injection flaws where dynamic code generation is not properly secured.
CVE-2026-1245 was publicly disclosed on 2026-01-20. The vulnerability is not currently listed on the CISA KEV catalog, and its EPSS score is pending evaluation. Public proof-of-concept (PoC) exploits are likely to emerge given the ease of exploitation once the vulnerability became public. Attackers targeting Node.js applications should be aware of this vulnerability.
Applications built on Node.js that utilize the binary-parser library to process binary data, particularly those handling untrusted input from external sources, are at risk. This includes applications that parse file uploads, network packets, or other data streams without proper validation. Developers using older versions of binary-parser in their projects should prioritize upgrading.
• nodejs / server:
ps aux | grep node | grep -i binary-parser
npm list binary-parser• nodejs / supply-chain:
npm audit binary-parser
npm ls binary-parser --depth=1• generic web: Inspect Node.js application logs for unusual JavaScript execution errors or patterns related to parsing binary data.
disclosure
Statut de l'Exploit
EPSS
0.07% (percentile 21%)
Vecteur CVSS
The primary mitigation for CVE-2026-1245 is to upgrade the binary-parser library to version 2.3.0 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on any user-supplied data used in parser field names or encoding parameters. While a direct workaround is difficult without code changes, restricting the allowed characters in these fields can reduce the attack surface. Monitor Node.js processes for unusual JavaScript execution patterns. Consider using a Web Application Firewall (WAF) to filter potentially malicious requests, although this is not a guaranteed solution.
Mettez à jour la bibliothèque binary-parser à la version 2.3.0 ou supérieure. Cela corrigera la vulnérabilité d'injection de code. Exécutez `npm install binary-parser@latest` pour mettre à jour vers la dernière version.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-1245 is a code injection vulnerability in the binary-parser library for Node.js, affecting versions before 2.3.0. It allows attackers to execute arbitrary JavaScript code.
You are affected if your Node.js application uses binary-parser version 2.3.0 or earlier. Check your project dependencies with npm list binary-parser.
Upgrade binary-parser to version 2.3.0 or later using npm install binary-parser@latest. Implement input validation as a temporary mitigation.
While no active exploitation has been confirmed, the vulnerability is publicly known and PoCs are likely to emerge, making it a high-priority concern.
Refer to the binary-parser GitHub repository for updates and advisories: [https://github.com/binary-parser/binary-parser](https://github.com/binary-parser/binary-parser)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.