CVE-2026-1245 – A code injection vulnerability in binary-parser... (How to Fix)

Q: What is the severity of CVE-2026-1245?

CVE-2026-1245 has a CVSS score of 6.5 (MEDIUM). A code injection vulnerability in binary-parser library versions before 2.3.0 allows attackers to execute arbitrary JavaScript code when untrusted input is used in parser field names or encoding parameters. This affects any Node.js application using vulnerable versions of binary-parser to parse untrusted data. Successful exploitation gives attackers full control of the Node.js process.

📋 TL;DR

A code injection vulnerability in binary-parser library versions before 2.3.0 allows attackers to execute arbitrary JavaScript code when untrusted input is used in parser field names or encoding parameters. This affects any Node.js application using vulnerable versions of binary-parser to parse untrusted data. Successful exploitation gives attackers full control of the Node.js process.

💻 Affected Systems

Products:

binary-parser

Versions: All versions before 2.3.0

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when parsing untrusted data. Applications that only parse trusted/sanitized data are not affected.

📦 What is this software?

Binary Parser by Keichi

View all CVEs affecting Binary Parser →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Node.js process allowing arbitrary code execution, data theft, privilege escalation, and lateral movement within the environment.

🟠

Likely Case

Remote code execution leading to application compromise, data exfiltration, and potential server takeover.

🟢

If Mitigated

No impact if input validation prevents untrusted data from reaching vulnerable parser functions.

🌐 Internet-Facing: HIGH - Web applications parsing user-supplied binary data are directly exposed to exploitation.

🏢 Internal Only: MEDIUM - Internal services parsing untrusted data remain vulnerable but have reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires attacker to control parser field names or encoding parameters. Public proof-of-concept exists in GitHub pull request #283.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.0

Vendor Advisory: https://github.com/keichi/binary-parser/pull/283

Restart Required: Yes

Instructions:

1. Update binary-parser to version 2.3.0 or later using npm update binary-parser. 2. Restart all Node.js applications using the library. 3. Test application functionality after update.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation to ensure only trusted, whitelisted values are used as parser field names and encoding parameters.

Library Pinning

all

Pin binary-parser to version 2.3.0+ in package.json to prevent accidental downgrade.

npm install binary-parser@^2.3.0

🧯 If You Can't Patch

Implement strict input validation and sanitization for all data passed to binary-parser functions.
Isolate vulnerable applications in network segments with restricted outbound connectivity.

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/binary-parser/package.json for version number below 2.3.0.

Check Version:

npm list binary-parser | grep binary-parser

Verify Fix Applied:

Verify binary-parser version is 2.3.0 or higher using npm list binary-parser.

📡 Detection & Monitoring

Log Indicators:

Unusual process spawns from Node.js applications
Suspicious JavaScript execution patterns
Unexpected network connections from Node.js processes

Network Indicators:

Outbound connections to unexpected destinations from Node.js applications
Command and control traffic patterns

SIEM Query:

process.name:node.exe AND (process.cmdline:*binary-parser* OR process.cmdline:*eval*)

📊 Metadata

CVE ID: CVE-2026-1245

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-94

EPSS Score: 0.06% exploit probability (19.5th percentile)

Published: January 20, 2026

Last Updated: February 3, 2026

🔗 References

https://github.com/keichi/binary-parser Product
https://github.com/keichi/binary-parser/pull/283 Patch
https://kb.cert.org/vuls/id/102648 Third Party Advisory
https://www.npmjs.com/package/binary-parser Product
https://www.kb.cert.org/vuls/id/102648 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1245, you might also want to check these: