"The vulnerability, tracked as CVE-2026-1245 (CVSS score: N/A), affects all versions of the module prior to version 2.3.0, which addresses the issue. Patches for the flaw were released on November 26, 2025. Binary-parser is a widely used parser builder for JavaScript that allows developers to parse binary data. It supports a wide range of common data types, including integers, floating-point values, strings, and arrays. The package attracts approximately 13,000 downloads on a weekly basis."
"According to an advisory released by the CERT Coordination Center (CERT/CC), the vulnerability has to do with a lack of sanitization of user-supplied values, such as parser field names and encoding parameters, when the JavaScript parser code is dynamically generated at runtime using the "Function" constructor. It's worth noting that the npm library builds JavaScript source code as a string that represents the parsing logic and compiles it using the Function constructor and caches it as an executable function to parse buffers efficiently."
CVE-2026-1245 affects binary-parser versions prior to 2.3.0, with patches released on November 26, 2025. The flaw results from insufficient sanitization of user-supplied values such as parser field names and encoding parameters when JavaScript parser code is dynamically generated and compiled using the Function constructor. Attacker-controlled input can be injected into generated code, causing arbitrary JavaScript execution with the privileges of the Node.js process. Applications using only static, hard-coded parser definitions are not affected. Potential impacts include access to local data, manipulation of application logic, or execution of system commands. Researcher Maor Caplan reported the issue.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]