CVE-2026-1245 Code Injection in Node.js *binary-parser* via Dynamic Function Generation
A code-injection vulnerability in the Node.js npm package binary-parser can allow attackers to execute arbitrary JavaScript when applications build parser definitions from untrusted input. Tracked as CVE-2026-1245, the issue affects binary-parser versions < 2.3.0 and stems from the library’s use of dynamic code generation: it constructs JavaScript source at runtime and compiles it using the Function constructor for performance.
CERT/CC and third-party reporting indicate the flaw occurs because user-supplied values—notably parser field names and encoding parameters—can be incorporated into the generated code without sanitization, enabling attacker-controlled modification of the resulting executable parser logic. Impact depends on how the library is used: applications with static, hard-coded parser definitions are not affected, but implementations that allow external input to influence parser structure (e.g., user-defined parsing of uploaded content) may enable code execution with the privileges of the Node.js process; upgrading to 2.3.0 is the primary remediation, with patches noted as released November 26, 2025.
Timeline
Jan 21, 2026
CERT/CC warns of CVE-2026-1245 in binary-parser
CERT/CC published an advisory for CVE-2026-1245, warning that applications which build parser definitions from untrusted input could allow arbitrary JavaScript execution in the Node.js process context. The advisory noted that static, hard-coded parser definitions are not affected and urged users to upgrade.
Nov 26, 2025
binary-parser 2.3.0 released to fix CVE-2026-1245
Maintainer Keichi Takahashi patched the vulnerability in binary-parser version 2.3.0. The fix addressed insufficient sanitization of parser field names and encoding parameters that could lead to arbitrary JavaScript execution.
Nov 26, 2025
binary-parser flaw discovered by researcher Maor Caplan
Security researcher Maor Caplan identified a code-injection vulnerability in the Node.js binary-parser library caused by unsafe incorporation of user-controlled values into dynamically generated JavaScript.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
Remote Code Execution Vulnerability in Node.js systeminformation Library on Windows
A critical vulnerability has been identified in the `systeminformation` library for Node.js, specifically affecting Windows systems. The flaw, tracked as CVE-2025-68154, resides in the `fsSize()` function, which fails to properly sanitize the `drive` parameter before concatenating it into a PowerShell command. This oversight allows for OS command injection, enabling attackers to execute arbitrary commands on affected systems if user-controlled input is passed to the vulnerable function. The issue is particularly concerning given the library's widespread use, with over 16 million monthly users potentially at risk. The vulnerability is remotely exploitable and has been addressed in version 5.27.14 of the library. Security researchers emphasize that the actual risk depends on how applications utilize the `fsSize()` function; if user input is not passed to this function, the risk is mitigated. Organizations using the `systeminformation` library on Windows are strongly advised to update to the patched version immediately to prevent exploitation and potential compromise of their systems.
1 months ago
Critical Remote Code Execution Vulnerability in Happy DOM JavaScript Library
A critical security vulnerability, tracked as CVE-2025-61927, has been discovered in the Happy DOM JavaScript library, which is widely used for server-side rendering and testing frameworks. The flaw allows attackers to escape the virtual machine (VM) context, potentially leading to remote code execution on affected systems. Happy DOM, with over 2.7 million weekly downloads, is integrated into numerous applications, amplifying the potential impact of this vulnerability. The root cause of the issue lies in improper isolation of the Node.js VM context in Happy DOM versions 19 and earlier, which fails to adequately sandbox untrusted code. Security researcher Mas0nShi identified that attackers can exploit the JavaScript constructor inheritance chain to access the global Function constructor, enabling arbitrary code execution. In environments using the CommonJS module system, attackers can further leverage the require() function to import and execute additional modules, broadening the attack surface. While ECMAScript module (ESM) environments restrict some capabilities, they are still affected by the core VM context escape. The vulnerability has been assigned a CVSS score of 9.4, underscoring its severity and the urgency for remediation. Millions of applications that rely on Happy DOM for testing or server-side rendering are at risk if they have not updated to a patched version. The flaw enables attackers to bypass intended security boundaries, potentially compromising the host system and any sensitive data processed within the affected environment. Security advisories recommend immediate updates to the latest version of Happy DOM to mitigate the risk. Organizations are urged to review their software supply chain for dependencies on Happy DOM and to apply patches as soon as possible. The vulnerability highlights the risks associated with improper sandboxing in JavaScript environments, especially in widely adopted open-source libraries. No reports of active exploitation have been confirmed at this time, but the public disclosure and technical details increase the likelihood of exploitation attempts. Security teams should monitor for suspicious activity related to Node.js processes and review application logs for signs of compromise. The incident serves as a reminder of the importance of rigorous security testing and isolation in libraries that execute untrusted code. Developers and DevOps teams should prioritize dependency management and vulnerability scanning to reduce exposure to similar flaws in the future.
1 months ago
Critical Local File Inclusion Vulnerability in jsPDF Library
A critical vulnerability, tracked as CVE-2025-68428, was discovered in the *jsPDF* library, which is widely used for generating PDFs in JavaScript applications. The flaw allows attackers to exploit local file inclusion and path traversal in the Node.js build of jsPDF by passing unsanitized paths to the `loadFile` method, potentially enabling unauthorized access to arbitrary files on the server. Other affected methods include `addImage`, `html`, and `addFont`, with the vulnerability present in the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. The issue has been addressed in jsPDF version 4.0.0, which restricts file system access by default. The vulnerability is remotely exploitable and poses a significant risk to applications that allow user-controlled input to these methods. jsPDF recommends updating to version 4.0.0 or later and, for older Node.js versions, sanitizing user-provided paths before use. Additionally, Node.js environments should leverage the `--permission` flag to further restrict file system access. Organizations using jsPDF in server-side environments are urged to review their implementations and apply the necessary updates or mitigations to prevent potential data breaches or unauthorized file access.
1 months ago