CVE-2026-1245

Name of the Vulnerable Software and Affected Versions binary-parser versions prior to 2.3.0

Description A code injection flaw exists in the binary-parser library. This issue allows for arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without proper sanitization, enabling attackers to execute code within the Node.js process. The issue is due to the use of the Function constructor with unsanitized input. This could lead to data access, logic manipulation, or system command execution. The vulnerability is also referred to as 'ParserPoison'.

Recommendations Upgrade to binary-parser version 2.3.0 or newer.