CVE-2026-1245: Arbitrary JavaScript Execution via Code Injection in Node.js binary-parser Library

Aegiron 9 mins0

CVE-2026-1245 — Code Injection in binary-parser (Node.js)

CVE ID: CVE-2026-1245
Affected component: binary-parser (Node.js library)
Vulnerability type: Code Injection leading to Arbitrary JavaScript Execution
Severity: High
CVSS score: Not officially assigned at the time of disclosure
Exploitability: Conditional but realistic in misconfigured or unsafe implementations
Exploit availability: No widely published public exploit; exploitation is feasible in real-world scenarios
Official remediation: Upgrade to a fixed version (link provided at the end)

Overview

A code injection vulnerability was identified in the Node.js library binary-parser, a package commonly used to define and parse binary data structures. The vulnerability exists due to unsafe handling of dynamically generated JavaScript code inside the library when parser definitions are constructed.

In affected versions, internal parsing logic was generated at runtime using string interpolation. When values such as field names or encoding parameters were derived from untrusted or loosely validated input, those values were incorporated directly into executable JavaScript code. As a result, arbitrary JavaScript execution could be triggered within the Node.js process.

Root cause

The issue was caused by improper control over code generation.
Internally, the library relied on runtime code creation mechanisms to optimize parsing logic. Input values were embedded into generated functions without strict validation or escaping. When such input contained executable JavaScript fragments, the generated code would execute them as part of the normal parsing workflow.

This condition aligns with classic code-generation injection patterns, where data is mistakenly treated as code.

Conditions required for exploitation

Exploitation was not automatic and depended heavily on application design. The following conditions had to be met:

  • Parser definitions had to be built dynamically.
  • One or more parser attributes (for example, field names, lengths, or encodings) had to originate from user-controlled or external input.
  • That input had to reach the vulnerable code path without sanitization or strict validation.

If parser definitions were fully static and hard-coded by developers, exploitation was unlikely.

Impact

When exploited, arbitrary JavaScript code could be executed in the context of the running Node.js process. The impact depended on the privileges and environment of that process.

Potential consequences included:

  • Unauthorized access to application data
  • File system modification or data deletion
  • Execution of system commands
  • Lateral movement within internal networks
  • Complete application or server compromise in high-privilege deployments

Because execution occurred inside the application runtime, traditional perimeter defenses might not have prevented post-exploitation activity.

Proof-of-concept and exploitation status

At the time of analysis, no official or broadly circulated public proof-of-concept exploit had been released. However, the vulnerability mechanics were straightforward enough that exploitation could be achieved in controlled environments where unsafe parser construction was present.

For educational and defensive testing purposes, exploitation scenarios generally involved:

  • Supplying crafted input that altered parser field definitions
  • Triggering parser initialization or execution
  • Observing unintended JavaScript execution during parsing

Detection strategy

Detection should be focused on identifying unsafe parser usage patterns and abnormal runtime behavior rather than relying on signature-based exploit detection.

Application-level indicators

  • Unexpected or malformed parser field names appearing in logs
  • Parser definitions being created from request parameters, uploaded files, or configuration payloads
  • Runtime errors or stack traces referencing dynamically generated functions

Runtime and host indicators

  • Node.js processes spawning child processes unexpectedly
  • Outbound network connections initiated by components that normally do not communicate externally
  • File system changes occurring during parsing operations

Code-level indicators

  • Use of dynamic parser construction based on request data
  • Lack of validation or whitelisting for parser field names and encodings
  • Use of runtime code generation mechanisms triggered by variable input

Simple detection checklist (for Node.js projects)

The following checklist can be run during code review, CI, or security assessment:

  • All usages of binary-parser are identified.
  • Parser definitions are verified to be static or derived only from trusted sources.
  • No request parameters, uploaded data, or external configuration values are used directly in parser field definitions.
  • Validation or strict whitelisting is enforced for any dynamic parser attributes.
  • Application logs are reviewed for unexpected parser creation events.
  • Runtime monitoring is enabled for unexpected child process execution.

If any item cannot be confidently checked off, further review or remediation should be performed.

Sample validation rule

The following illustrates a conceptual validation approach that should be enforced before any dynamic parser definition is created:

  • Only predefined field names are allowed.
  • Any field name not present in an explicit allowlist is rejected.
  • Encodings are restricted to a known safe set.
  • Parser creation is aborted if validation fails.

This approach ensures that no arbitrary or unexpected values can reach internal code-generation paths.

Mitigation guidance

Immediate action

The library should be upgraded to a version where unsafe code generation has been corrected and input handling has been hardened.

Additional hardening

  • Least-privilege execution should be applied to Node.js services.
  • Dynamic code generation should be avoided where possible.
  • Dependency scanning and regular updates should be integrated into CI/CD pipelines.
  • Security reviews should be conducted for any code that constructs executable logic at runtime.

Official patch / upgrade link

binary-parser (official package and patched versions):
https://www.npmjs.com/package/binary-parser

Upgrading to version 2.3.0 or later resolves the vulnerability.

Final Takeaway

  • This vulnerability exists because an older version of binary-parser builds and runs code based on developer input.
  • If attackers can control that input, they can make it run whatever JavaScript they want.
  • There’s no public exploit code right now, but the risk is real if your code uses parser definitions built from untrusted values.
  • The only correct remedy is to update the library and stop trusting unfiltered input in parser definitions.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.