{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1245", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-01-20T18:48:57.730Z", "datePublished": "2026-01-20T18:50:34.232Z", "dateUpdated": "2026-01-21T17:10:56.426Z"}, "containers": {"cna": {"title": "CVE-2026-1245", "descriptions": [{"lang": "en", "value": "A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process."}], "source": {"discovery": "EXTERNAL"}, "affected": [{"vendor": "binary-parser", "product": "binary-parser", "versions": [{"status": "affected", "version": "0", "lessThan": "2.3.0", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}, {"descriptions": [{"lang": "en", "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u2018Eval Injection\u2019)"}]}], "references": [{"url": "https://github.com/keichi/binary-parser/pull/283"}, {"url": "https://github.com/keichi/binary-parser"}, {"url": "https://www.npmjs.com/package/binary-parser"}, {"url": "https://kb.cert.org/vuls/id/102648"}], "x_generator": {"engine": "VINCE 3.0.31", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-1245"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-01-21T17:10:56.426Z"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.kb.cert.org/vuls/id/102648"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-01-20T20:23:29.425Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-21T16:44:44.620209Z", "id": "CVE-2026-1245", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T16:45:09.018Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.kb.cert.org/vuls/id/102648"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-01-20T20:23:29.425Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-1245", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-21T16:44:44.620209Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T16:45:04.858Z"}}], "cna": {"title": "CVE-2026-1245", "source": {"discovery": "EXTERNAL"}, "affected": [{"vendor": "binary-parser", "product": "binary-parser", "versions": [{"status": "affected", "version": "0", "lessThan": "2.3.0", "versionType": "custom"}]}], "references": [{"url": "https://github.com/keichi/binary-parser/pull/283"}, {"url": "https://github.com/keichi/binary-parser"}, {"url": "https://www.npmjs.com/package/binary-parser"}, {"url": "https://kb.cert.org/vuls/id/102648"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.31", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-1245"}, "descriptions": [{"lang": "en", "value": "A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}, {"descriptions": [{"lang": "en", "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u2018Eval Injection\u2019)"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-01-21T17:10:56.426Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1245", "state": "PUBLISHED", "dateUpdated": "2026-01-21T17:10:56.426Z", "dateReserved": "2026-01-20T18:48:57.730Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-01-20T18:50:34.232Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:keichi:binary-parser:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7FCCACB7-F3FF-4E03-91E5-3D0E0D2F69A2", "versionEndExcluding": "2.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process."}], "id": "CVE-2026-1245", "lastModified": "2026-02-03T21:41:59.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-20T19:15:50.573", "references": [{"source": "cret@cert.org", "tags": ["Product"], "url": "https://github.com/keichi/binary-parser"}, {"source": "cret@cert.org", "tags": ["Patch"], "url": "https://github.com/keichi/binary-parser/pull/283"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://kb.cert.org/vuls/id/102648"}, {"source": "cret@cert.org", "tags": ["Product"], "url": "https://www.npmjs.com/package/binary-parser"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.kb.cert.org/vuls/id/102648"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T04:46:06.021341+00:00", "value": {"mitigation_remediation": ["Upgrade binary-parser to version\u202f2.3.0 or later.", "If an upgrade is infeasible, ensure that all data supplied to parser field names and encoding parameters is strictly validated or sanitized to prevent injection of executable code.", "Implement runtime checks to block unexpected characters in field names and encoding values, reducing the attack surface until a patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Node.js code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the open\u2011source binary-parser package published by keichi. All releases prior to version\u202f2.3.0 are susceptible; versions 2.3.0 and later include the fix. The library is typically used in Node.js\u2011based projects via npm.", "description_and_impact": "The binary-parser library accepts parser field names and encoding parameters from untrusted data and directly interpolates them into dynamically generated code without sanitization. This flaw, identified as an instance of code injection (CWE\u201194), allows an attacker to execute arbitrary JavaScript within the Node.js process that consumes the library, leading to full compromise of the application context.", "risk_and_exploitability": "With a CVSS score of 6.5 the flaw carries medium severity. The EPSS score is less than 1\u202f%, and the vulnerability is not currently listed in CISA\u2019s KEV catalog, indicating a low probability of widespread exploitation. Since the attacker must supply crafted input that is processed by binary-parser, the attack vector is essentially local or requires compromise of an application that leverages the library. If an attacker controls or injects untrusted data into the parser, they can execute arbitrary code in the same privilege context as the Node.js process."}}}}, "created": "2026-01-21T11:18:50.642577+00:00", "title": "Arbitrary JavaScript Execution via Unsanitized Field Names in binary-parser", "updated": "2026-04-18T05:00:06.021822+00:00", "vendors": ["keichi", "keichi$PRODUCT$binary-parser"]}