A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process.
References
| Link | Resource |
|---|---|
| https://github.com/keichi/binary-parser | Product |
| https://github.com/keichi/binary-parser/pull/283 | Patch |
| https://kb.cert.org/vuls/id/102648 | Third Party Advisory |
| https://www.npmjs.com/package/binary-parser | Product |
| https://www.kb.cert.org/vuls/id/102648 | Third Party Advisory |
Configurations
History
03 Feb 2026, 21:41
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/keichi/binary-parser - Product | |
| References | () https://github.com/keichi/binary-parser/pull/283 - Patch | |
| References | () https://kb.cert.org/vuls/id/102648 - Third Party Advisory | |
| References | () https://www.npmjs.com/package/binary-parser - Product | |
| References | () https://www.kb.cert.org/vuls/id/102648 - Third Party Advisory | |
| CWE | CWE-94 | |
| CPE | cpe:2.3:a:keichi:binary-parser:*:*:*:*:*:node.js:*:* | |
| First Time |
Keichi
Keichi binary-parser |
21 Jan 2026, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
21 Jan 2026, 00:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
20 Jan 2026, 21:16
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
20 Jan 2026, 19:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-01-20 19:15
Updated : 2026-02-03 21:41
NVD link : CVE-2026-1245
Mitre link : CVE-2026-1245
CVE.ORG link : CVE-2026-1245
JSON object : View
Products Affected
keichi
- binary-parser
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')