CVE-2026-1245 - Vulnerability Details

Description

A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process.

Published: 2026-01-20

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The binary-parser library accepts parser field names and encoding parameters from untrusted data and directly interpolates them into dynamically generated code without sanitization. This flaw, identified as an instance of code injection (CWE‑94), allows an attacker to execute arbitrary JavaScript within the Node.js process that consumes the library, leading to full compromise of the application context.

Affected Systems

The vulnerability affects the open‑source binary-parser package published by keichi. All releases prior to version 2.3.0 are susceptible; versions 2.3.0 and later include the fix. The library is typically used in Node.js‑based projects via npm.

Risk and Exploitability

With a CVSS score of 6.5 the flaw carries medium severity. The EPSS score is less than 1 %, and the vulnerability is not currently listed in CISA’s KEV catalog, indicating a low probability of widespread exploitation. Since the attacker must supply crafted input that is processed by binary-parser, the attack vector is essentially local or requires compromise of an application that leverages the library. If an attacker controls or injects untrusted data into the parser, they can execute arbitrary code in the same privilege context as the Node.js process.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

binary-parser

affected

Version	Status	Constraints
`0`	affected	< 2.3.0

Configuration 1 [-]

cpe:2.3:a:keichi:binary-parser:*:*:*:*:*:node.js:*:*

No data.

Vendor	Product	Confidence	Versions
Keichi	Binary-parser	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade binary-parser to version 2.3.0 or later.
If an upgrade is infeasible, ensure that all data supplied to parser field names and encoding parameters is strictly validated or sanitized to prevent injection of executable code.
Implement runtime checks to block unexpected characters in field names and encoding values, reducing the attack surface until a patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 04:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-m39p-34qh-rh3w	binary-parser library has a code injection vulnerability

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00072.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/keichi/binary-parser
https://github.com/keichi/binary-parser/pull/283
https://kb.cert.org/vuls/id/102648
https://www.kb.cert.org/vuls/id/102648
https://www.npmjs.com/package/binary-parser

History

Tue, 03 Feb 2026 21:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-94
CPEs		cpe:2.3:a:keichi:binary-parser::::::node.js::*

Wed, 21 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 21 Jan 2026 11:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Keichi Keichi binary-parser
Vendors & Products		Keichi Keichi binary-parser

Tue, 20 Jan 2026 23:30:00 +0000

Type	Values Removed	Values Added
References		https://github.com/keichi/binary-parser https://kb.cert.org/vuls/id/102648 https://www.npmjs.com/package/binary-parser

Tue, 20 Jan 2026 21:30:00 +0000

Type	Values Removed	Values Added
References		https://www.kb.cert.org/vuls/id/102648

Tue, 20 Jan 2026 19:15:00 +0000

Type	Values Removed	Values Added
Description		A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process.
Title		CVE-2026-1245
References		https://github.com/keichi/binary-parser/pull/283

Subscriptions

Keichi Binary-parser

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2026-01-20T18:50:34.232Z

Updated: 2026-01-21T17:10:56.426Z

Reserved: 2026-01-20T18:48:57.730Z

Link: CVE-2026-1245

Vulnrichment

Updated: 2026-01-20T20:23:29.425Z

NVD

Status : Analyzed

Published: 2026-01-20T19:15:50.573

Modified: 2026-02-03T21:41:59.230

Link: CVE-2026-1245

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T05:00:06Z

Weaknesses

CWE-94

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object