CVE-2026-1245
BaseFortify
Publication date: 2026-01-20
Last updated on: 2026-02-03
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keichi | binary-parser | to 2.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a code injection flaw in the binary-parser library before version 2.3.0. It occurs because the library directly inserts untrusted values from parser field names or encoding parameters into dynamically generated JavaScript code without sanitizing them. This allows an attacker to inject and execute arbitrary JavaScript code within the Node.js process running the library. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to execute arbitrary JavaScript code in the context of the Node.js process using the binary-parser library. This could lead to unauthorized actions such as data theft, system compromise, or further attacks within the environment where the vulnerable library is used. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the binary-parser library to version 2.3.0 or later, which includes a patch that sanitizes and properly validates field names and encoding parameters to prevent code injection. Applying this update will restrict unsafe processing of these inputs and eliminate the vulnerability. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary code execution in the Node.js process when untrusted input is used, potentially leading to unauthorized access or manipulation of data. This could impact compliance with standards like GDPR or HIPAA by risking the confidentiality and integrity of sensitive data processed by applications using the vulnerable binary-parser library. However, specific compliance impacts depend on the context of use and whether untrusted inputs are passed to the parser. Mitigation involves upgrading to version 2.3.0 or later and avoiding untrusted inputs in parser definitions. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or network/system scanning methods provided in the available resources. However, detection can focus on identifying usage of the vulnerable binary-parser library versions prior to 2.3.0 in your Node.js projects, especially where parser field names or encoding parameters are dynamically set from untrusted input. To detect vulnerable versions, you can check your project's installed package version with commands like `npm list binary-parser` or `yarn list binary-parser`. Additionally, reviewing code for dynamic or user-supplied values used in parser field names or encoding parameters may help identify risky usage. Upgrading to version 2.3.0 or later is recommended to mitigate the vulnerability. [2, 3]