CVE-2026-1245

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-1245

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1245.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-1245

Aliases

GHSA-m39p-34qh-rh3w

Published

2026-01-20T19:15:50.573Z

Modified

2026-03-13T04:01:19.952008Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process.

References

Affected packages

Git / github.com/keichi/binary-parser

Affected ranges

Type

GIT

Repo

https://github.com/keichi/binary-parser

Events

Introduced

Fixed

5efc2c051572e38cd248a53a02482c1382b1142d

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.3.0"
        }
    ]
}

Affected versions

0.*

0.0.1

0.0.2

0.0.3

0.0.4

0.0.5

1.*

1.0.0

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.2.0

1.3.0

1.3.1

1.3.2

v1.*

v1.3.3

v1.4.0

v1.6.2

v1.7.0

v1.8.0

v1.9.0

v1.9.1

v1.9.2

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v2.1.0

v2.2.0

v2.2.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1245.json"