Critical Vulnerability in ‘binary-parser’ npm Library Enables Arbitrary Code Execution in Node.js
A significant security flaw has been identified in the widely-used ‘binary-parser’ npm library, potentially allowing attackers to execute arbitrary JavaScript code within Node.js applications. This vulnerability, designated as CVE-2026-1245, affects all versions of the library prior to 2.3.0. The issue was addressed with the release of version 2.3.0 on November 26, 2025.
Overview of ‘binary-parser’:
‘binary-parser’ is a JavaScript library designed to facilitate the parsing of binary data. It supports various data types, including integers, floating-point numbers, strings, and arrays, making it a valuable tool for developers working with binary data structures. The library boasts approximately 13,000 weekly downloads, underscoring its widespread adoption in the developer community.
Details of the Vulnerability:
The vulnerability arises from insufficient sanitization of user-supplied inputs, such as parser field names and encoding parameters. When these inputs are used to dynamically generate JavaScript parser code at runtime via the ‘Function’ constructor, they can introduce security risks. Specifically, if an attacker can control these inputs, they may inject malicious code into the dynamically generated parser, leading to the execution of arbitrary JavaScript code within the Node.js process.
The ‘binary-parser’ library constructs JavaScript source code as a string representing the parsing logic. This string is then compiled using the ‘Function’ constructor and cached as an executable function to efficiently parse buffers. However, due to the lack of proper validation, attacker-controlled inputs can be incorporated into the generated code without adequate checks. This flaw allows applications that parse untrusted data to become vectors for arbitrary code execution.
It’s important to note that applications utilizing only static, hard-coded parser definitions are not susceptible to this vulnerability. The risk primarily affects applications that dynamically construct parser definitions based on untrusted input.
Potential Impact:
According to the CERT Coordination Center (CERT/CC), exploiting this vulnerability could enable attackers to execute arbitrary JavaScript code with the same privileges as the Node.js process. This level of access could lead to:
– Data Breaches: Unauthorized access to sensitive local data stored on the server.
– Application Manipulation: Alteration of application logic, potentially leading to unintended behaviors or security bypasses.
– System Command Execution: Depending on the deployment environment, attackers might execute system-level commands, leading to further compromise of the host system.
The severity of these impacts underscores the critical nature of this vulnerability and the necessity for prompt remediation.
Discovery and Reporting:
Security researcher Maor Caplan is credited with discovering and reporting this vulnerability. His efforts have been instrumental in bringing this issue to light and facilitating the development of a patch to address the flaw.
Recommendations for Mitigation:
Users and developers utilizing the ‘binary-parser’ library are strongly advised to take the following actions:
1. Upgrade to Version 2.3.0 or Later: Ensure that your application is using ‘binary-parser’ version 2.3.0 or a more recent release. This version includes patches that address the identified vulnerability.
2. Avoid Using Untrusted Inputs: Refrain from passing user-controlled values into parser field names or encoding parameters. If dynamic parser definitions are necessary, implement rigorous input validation and sanitization to prevent potential code injection.
3. Review Application Code: Conduct a thorough review of your application’s codebase to identify any instances where untrusted input might influence parser definitions. Implement necessary safeguards to mitigate associated risks.
4. Monitor for Unusual Activity: Keep an eye on application logs and system behavior for any signs of unauthorized access or unusual activity that could indicate exploitation attempts.
Broader Context:
This vulnerability highlights the ongoing challenges in securing open-source libraries and the importance of proactive security practices. Developers are encouraged to stay informed about vulnerabilities in third-party libraries and to apply updates promptly. Additionally, adopting secure coding practices, such as input validation and the principle of least privilege, can significantly reduce the risk of similar vulnerabilities.
The ‘binary-parser’ vulnerability serves as a reminder of the critical role that community vigilance and prompt action play in maintaining the security of the software ecosystem.
