A security vulnerability has been disclosed in the popular binary-parser npm library that, if successfully exploited, could result in the execution of arbitrary JavaScript.
The vulnerability, tracked as CVE-2026-1245 (CVSS score: 6.5), affects all versions of the module prior to version 2.3.0, which addresses the issue. Patches for the flaw were released on November 26, 2025.
Binary-parser is a widely used parser builder for JavaScript that allows developers to parse binary data. It supports a wide range of common data types, including integers, floating-point values, strings, and arrays. The package attracts approximately 13,000 downloads on a weekly basis.
According to an advisory released by the CERT Coordination Center (CERT/CC), the vulnerability has to do with a lack of sanitization of user-supplied values, such as parser field names and encoding parameters, when the JavaScript parser code is dynamically generated at runtime using the "Function" constructor.
It's worth noting that the npm library builds JavaScript source code as a string that represents the parsing logic and compiles it using the Function constructor and caches it as an executable function to parse buffers efficiently.
However, as a result of CVE-2026-1245, an attacker-controlled input could make its way to the generated code without adequate validation, causing the application to parse untrusted data, resulting in the execution of arbitrary code. Applications that use only static, hard-coded parser definitions are not affected by the flaw.
"In affected applications that construct parser definitions using untrusted input, an attacker may be able to execute arbitrary JavaScript code with the privileges of the Node.js process," CERT/CC said. "This could allow access to local data, manipulation of application logic, or execution of system commands depending on the deployment environment."
Alma Security researcher Maor Caplan has been credited with discovering and reporting the vulnerability. Users of binary-parser are advised to upgrade to version 2.3.0 and avoid passing user-controlled values into parser field names or encoding parameters.
Update
In a follow-up analysis published on January 26, 2026, Alma Security said the vulnerability is rooted in the fact that the library passes encoding parameters or a field name provided in the schema, or without any validation, to generate the JavaScript code. It has codenamed the flaw ParserPoison.
"The vulnerability (CVE-2026-1245) exists because binary-parser compiles parser definitions into JavaScript functions using the new Function() constructor," Caplan said. "While this approach is great for performance, the library was directly interpolating variable names and encoding parameters without sufficient sanitization."
As a result of this behavior, if an attacker provides a value like "x; console.log("Hacked");" for the field name, the generated parser function becomes "vars.x; console.log("Hacked");." This renders any application that dynamically constructs parsers from untrusted schema susceptible to the flaw.
"ParserPoison serves as a stark reminder that the most efficient code is often the most dangerous if left unguarded," Caplan added. "As we continue to move toward high-performance, JIT-like compilation patterns in our libraries, proactive auditing of these dynamic 'sinks' remains a critical line of defense for the open-source ecosystem."
(The story was updated after publication on January 27, 2026, with additional details of the flaw shared by Alma Security.)
