A code injection vulnerability exists in the binary-parser library for Node.js (versions prior to 2.3.0). This flaw allows arbitrary JavaScript code execution if untrusted input is used to construct parser definitions, potentially leading to significant security risks for applications using the library with externally supplied data.
Overview The binary-parser library for Node.js contains a code injection vulnerability that may allow arbitrary JavaScript code execution if untrusted input is used to construct parser definitions. Versions prior to 2.3.0 are affected. The issue has been resolved by the developer in a public update. Description binary-parser is a JavaScript library to facilitate writing "efficient binary parsers in a simple and declarative manner." binary-parser (versions < 2.3.0) dynamically generates JavaScript code at runtime using the Function constructor. Certain user-supplied values—specifically, parser field names and encoding parameters—are incorporated into this generated code without validation or sanitization. If an application passes untrusted or externally supplied data into these parameters, the unsanitized values can alter the generated code, enabling execution of attacker-controlled JavaScript. Applications that use only static, hardcoded parser definitions are not affected. The vendor has released a fix and clarified the library’s design limitations in version 2.3.0. Impact In affected applications that construct parser definitions using untrusted input, an attacker may be able to execute arbitrary JavaScript code with the privileges of the Node.js process. This could allow access to local data, manipulation of application logic, or execution of system commands depending on the deployment environment. Solution Users of the binary-parser library should upgrade to version 2.3.0 or later, where the vendor has implemented input validation and mitigations for unsafe code generation. Developers should avoid passing untrusted or user-controlled values into parser field names or encoding parameters. Acknowledgements Thanks to the reporter Maor Caplan for identifying the vulnerability and to Keichi Takahashi for implementing the fix. This document was written by Timur Snoke. Vendor Information One or more vendors are listed for this advisory. Please reference the full report for more information. References https://github.com/keichi/ https://github.com/keichi/binary-parser/pull/283 https://www.npmjs.com/package/binary-parser Other Information CVE IDs: CVE-2026-1245 Date Public: 2026-01-20 Date First Published: 2026-01-20 Date Last Updated: 2026-01-21 17:34 UTC Document Revision: 2 About vulnerability notes Contact us about this vulnerability Provide a vendor statement