CVE-2026-1245 — binary-parser library has a code injection vulnerability

Description

A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process.

How to fix CVE-2026-1245

To remediate CVE-2026-1245, upgrade the affected package to a fixed version below.

—upgrade to 2.3.0 or later

Is CVE-2026-1245 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.3.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-1245
PATCHgithub.com/keichi/binary-parser
WEBgithub.com/keichi/binary-parser/pull/283
WEBkb.cert.org/vuls/id/102648
WEBwww.cve.org/CVERecord?id=CVE-2026-1245