A vulnerability has been identified in the widely used binary-parser npm library that, if abused, can lead to execution of arbitrary JavaScript code within affected applications.

The issue, cataloged as CVE-2026-1245 (CVSS score: N/A), impacts all releases of the package before version 2.3.0, which contains the fix. The patched version was made available on November 26, 2025.

Binary-parser is a common parser-construction library for JavaScript that developers use to interpret binary data. It handles many standard data types, including integers, floating-point numbers, strings, and arrays, and currently averages about 13,000 downloads per week.

Per an advisory from the CERT Coordination Center (CERT/CC), the root cause is a failure to sanitize user-controlled values — such as parser field names and encoding parameters — when JavaScript parser code is generated dynamically at runtime using the `Function` constructor.

It’s worth noting that the npm package generates JavaScript source code as a string that encodes the parsing logic, compiles that string using the `Function` constructor, and then caches the resulting function for efficient buffer parsing.

With CVE-2026-1245, attacker-controlled input can be incorporated into this generated code without proper validation. This allows untrusted data to influence the parsing logic and can result in arbitrary code execution. Workloads that rely only on static, hard-coded parser definitions are not exposed to this behavior.

“In affected applications that construct parser definitions using untrusted input, an attacker may be able to execute arbitrary JavaScript code with the privileges of the Node.js process,” CERT/CC said. “This could allow access to local data, manipulation of application logic, or execution of system commands depending on the deployment environment.”

Security researcher Maor Caplan is credited with identifying and reporting the issue. Environments relying on binary-parser should upgrade to version 2.3.0 and ensure that parser field names and encoding parameters are never derived from user-controlled data.