The CERT Coordination Center (CERT/CC) has issued a warning about a security vulnerability in the widely used binary-parser npm library that could allow attackers to execute arbitrary JavaScript code under certain conditions.
The flaw is tracked as CVE-2026-1245 and affects all versions of binary-parser released before 2.3.0. The issue was fixed on November 26, 2025, and users are strongly advised to update. While no CVSS score has been assigned yet, the impact is considered serious in environments where untrusted input is used.
Binary-parser is a JavaScript parser builder designed to interpret binary data. It supports multiple data types, including integers, floating-point numbers, strings, and arrays, and is downloaded roughly 13,000 times per week, making it a common dependency in Node.js applications.
According to CERT/CC, the vulnerability stems from insufficient sanitization of user-controlled values, specifically parser field names and encoding parameters. The library dynamically generates JavaScript parsing logic at runtime using the Function constructor. This logic is built as a string, compiled into executable code, and cached for performance reasons.
Due to this design, attacker-supplied input can be injected into the generated code without proper validation. When applications construct parser definitions using untrusted data, this can lead to arbitrary JavaScript execution during parsing.
Applications that rely solely on static, hard-coded parser definitions are not affected.
“In affected applications that construct parser definitions using untrusted input, an attacker may be able to execute arbitrary JavaScript code with the privileges of the Node.js process,” CERT/CC stated. “This could allow access to local data, manipulation of application logic, or execution of system commands, depending on the deployment environment.”
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
