CISA alerts on code injection in binary-parser library

The binary-parser library for Node.js contains a code injection vulnerability that can enable execution of arbitrary JavaScript when parser definitions are constructed from untrusted input; the flaw affects versions prior to 2.3.0.

The issue is tracked as CVE-2026-1245 and involves binary-parser generating JavaScript at runtime via the Function constructor. The library inserts certain user-supplied values—specifically parser field names and encoding parameters—into that generated code without validation or sanitization. If an application supplies externally controlled data into those parameters, the unsanitized values can modify the produced code; applications that rely solely on static, hardcoded parser definitions are not affected.

When parser definitions are built from untrusted input in affected deployments, an attacker may execute arbitrary JavaScript with the privileges of the Node.js process. That capability can allow access to local data, manipulation of application logic, or execution of system commands depending on the deployment environment.

The vendor addressed the problem in version 2.3.0, implementing input validation and mitigations for unsafe code generation and clarifying the library’s design limitations. Users of binary-parser are advised to move to version 2.3.0 or later where the fix is included.

Users and developers are directed to upgrade to binary-parser version 2.3.0 or later and to avoid passing untrusted or user-controlled values into parser field names or encoding parameters; the vendor has published the fix and noted the library’s limitations in version 2.3.0.

Aviz and Endace detail optimized traffic delivery to Always-On Packet Capture

Cohesity introduces Sophos-powered next-generation malware scanning in Cohesity Data Cloud

Rafay Systems and DataDirect Networks collaborate on AI infrastructure