CERT/CC Warns binary-parser Bug Allows Node.js Privilege-Level Code Execution

A security vulnerability in the popular binary-parser npm library could allow attackers to execute arbitrary JavaScript code on affected Node.js applications. The flaw, tracked as CVE-2026-1245, affects all versions prior to 2.3.0 and was patched on November 26, 2025.

How the Vulnerability Works

The binary-parser library is a widely used parser builder for JavaScript that enables developers to parse binary data. It supports common data types including integers, floating-point values, strings, and arrays, and sees approximately 13,000 weekly downloads. The library's performance comes from a unique approach: it builds JavaScript source code as a string representing the parsing logic, then compiles it using the Function constructor and caches it as an executable function to parse buffers efficiently.

The vulnerability stems from a lack of sanitization of user-supplied values when the JavaScript parser code is dynamically generated at runtime. Specifically, attacker-controlled input can make its way into the generated code without adequate validation when parser field names or encoding parameters are constructed from untrusted sources.

Attack Scenario and Impact

According to the CERT Coordination Center (CERT/CC) advisory, applications that construct parser definitions using untrusted input are at risk. An attacker could exploit this by providing malicious input that gets incorporated into the dynamically generated parser code. This could result in the execution of arbitrary JavaScript code with the privileges of the Node.js process.

The potential impact includes:

• Access to local data
• Manipulation of application logic
• Execution of system commands
• Full compromise of the Node.js process

Importantly, applications that use only static, hard-coded parser definitions are not affected by this vulnerability. The risk is specifically tied to applications that dynamically construct parser definitions from user input.

Affected Versions and Patches

The vulnerability affects all versions of binary-parser prior to 2.3.0. The maintainers released a patch addressing the issue on November 26, 2025. Security researcher Maor Caplan discovered and reported the vulnerability.

Remediation and Best Practices

Immediate Action Required:

1. Upgrade to binary-parser version 2.3.0 or later
2. Review applications for instances where parser definitions are constructed from user-controlled input
3. Implement strict validation and sanitization of any input used in parser construction

Long-term Security Practices:

• Avoid passing user-controlled values into parser field names or encoding parameters
• Consider using static parser definitions where possible
• Implement input validation at multiple layers of the application
• Regularly audit dependencies for known vulnerabilities using tools like npm audit or Snyk

Broader Context

This vulnerability highlights a common security pattern in Node.js applications: the risks associated with dynamic code generation. The Function constructor and similar mechanisms that evaluate code at runtime are powerful tools but introduce significant security risks when combined with untrusted input.

Developers should be particularly cautious when:

• Building code strings from user input
• Using eval(), new Function(), or similar dynamic evaluation mechanisms
• Implementing template-based code generation

For applications requiring dynamic parsing capabilities, consider implementing strict input validation, using allow-lists for field names and encoding parameters, or exploring alternative libraries that don't rely on dynamic code generation.

Additional Resources

• CERT/CC Advisory
• binary-parser GitHub Repository
• npm Package Page
• OWASP Secure Coding Practices

Organizations using Node.js applications should immediately audit their codebases for binary-parser usage and apply the necessary patches to prevent potential exploitation.