プラットフォーム
nodejs
コンポーネント
binary-parser
修正版
2.3.0
2.3.1
2.3.0
CVE-2026-1245 describes a code injection vulnerability discovered in the binary-parser library, affecting versions prior to 2.3.0. This flaw allows attackers to inject and execute arbitrary JavaScript code within the Node.js environment. The vulnerability stems from insufficient sanitization of user-supplied input used in dynamically generated code, posing a significant risk to applications relying on this library. Upgrade to version 2.3.0 to resolve this issue.
The impact of CVE-2026-1245 is severe, as it enables remote code execution (RCE) within the Node.js process. An attacker could exploit this vulnerability by crafting malicious input that is then parsed by the binary-parser library. This crafted input would inject JavaScript code, which would then be executed with the privileges of the Node.js process. This could lead to complete system compromise, data theft, or denial of service. The blast radius extends to any application utilizing the vulnerable binary-parser library, especially those handling untrusted data. This vulnerability shares similarities with other code injection flaws where dynamic code generation is not properly secured.
CVE-2026-1245 was publicly disclosed on 2026-01-20. The vulnerability is not currently listed on the CISA KEV catalog, and its EPSS score is pending evaluation. Public proof-of-concept (PoC) exploits are likely to emerge given the ease of exploitation once the vulnerability became public. Attackers targeting Node.js applications should be aware of this vulnerability.
Applications built on Node.js that utilize the binary-parser library to process binary data, particularly those handling untrusted input from external sources, are at risk. This includes applications that parse file uploads, network packets, or other data streams without proper validation. Developers using older versions of binary-parser in their projects should prioritize upgrading.
• nodejs / server:
ps aux | grep node | grep -i binary-parser
npm list binary-parser• nodejs / supply-chain:
npm audit binary-parser
npm ls binary-parser --depth=1• generic web: Inspect Node.js application logs for unusual JavaScript execution errors or patterns related to parsing binary data.
disclosure
エクスプロイト状況
EPSS
0.07% (21% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2026-1245 is to upgrade the binary-parser library to version 2.3.0 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on any user-supplied data used in parser field names or encoding parameters. While a direct workaround is difficult without code changes, restricting the allowed characters in these fields can reduce the attack surface. Monitor Node.js processes for unusual JavaScript execution patterns. Consider using a Web Application Firewall (WAF) to filter potentially malicious requests, although this is not a guaranteed solution.
binary-parser ライブラリをバージョン 2.3.0 以降にアップデートしてください。これにより、コードインジェクションの脆弱性が修正されます。`npm install binary-parser@latest` を実行して最新バージョンにアップデートしてください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-1245 is a code injection vulnerability in the binary-parser library for Node.js, affecting versions before 2.3.0. It allows attackers to execute arbitrary JavaScript code.
You are affected if your Node.js application uses binary-parser version 2.3.0 or earlier. Check your project dependencies with npm list binary-parser.
Upgrade binary-parser to version 2.3.0 or later using npm install binary-parser@latest. Implement input validation as a temporary mitigation.
While no active exploitation has been confirmed, the vulnerability is publicly known and PoCs are likely to emerge, making it a high-priority concern.
Refer to the binary-parser GitHub repository for updates and advisories: [https://github.com/binary-parser/binary-parser](https://github.com/binary-parser/binary-parser)