CVE-2026-1245

MEDIUM

binary-parser < 2.3.0 - Remote Code Execution via Parser Field Name or Encoding Parameter

Title source: llm

Description

A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process.

References (5)

Core 5

Core References

Product

https://github.com/keichi/binary-parser

View Writeup ZIP pw:eip

Patch

https://github.com/keichi/binary-parser/pull/283

Third Party Advisory

https://kb.cert.org/vuls/id/102648

Product

https://www.npmjs.com/package/binary-parser

Third Party Advisory

https://www.kb.cert.org/vuls/id/102648

Scores

CVSS v3 6.5

EPSS 0.0009

EPSS Percentile 24.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-94

Status published

Products (2)

keichi/binary-parser < 2.3.0

npm/binary-parser 0 - 2.3.0npm

Published Jan 20, 2026

Tracked Since Feb 18, 2026