A newly disclosed security flaw in the widely used binary-parser npm package could allow attackers to execute arbitrary JavaScript code if exploited. Tracked as CVE-2026-1245 (CVSS pending), the vulnerability impacts every release of the library prior to version 2.3.0, which contains the official fix. The maintainer issued patched versions on November 26, 2025.
Binary-parser is a popular JavaScript parser builder used to process binary data, supporting data types such as integers, floats, strings, and arrays. The library sees roughly 13,000 downloads per week, making the exposure particularly notable.
According to a security advisory published by the CERT Coordination Center (CERT/CC), the flaw stems from insufficient validation of user-controlled inputs including parser field names and encoding options when generating parser logic on the fly using the JavaScript Function constructor.
The library assembles JavaScript source code as a string representing the desired parsing behavior, compiles it dynamically with the Function constructor, and caches the resulting function for performance. However, CVE‑2026‑1245 makes it possible for attacker-supplied values to be inserted into this generated code without proper sanitization. If an application builds parser definitions using untrusted data, this can lead to arbitrary code execution.
Applications that rely exclusively on predefined, hard‑coded parser structures are not impacted.
“For applications that construct parser definitions with untrusted input, an attacker could run arbitrary JavaScript with the same privileges as the Node.js process,” CERT/CC warned.
“Depending on how the application is deployed, this may enable access to local files, manipulation of application logic, or execution of system level commands.”
Security researcher Maor Caplan is credited with identifying and reporting the issue. Users of binary-parser are urged to upgrade to version 2.3.0 immediately and avoid allowing user-controlled values to influence parser field names or encoding settings.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
