VDB
CVE-2026-1245
CVE-2026-1245
PUBLISHED
CVSS 9.300000190734863 CRITICAL
A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process.
EPSS 0.09% · 25.1th percentile
Risk Scores
CVSS 4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Score
0.09%
25.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| binary-parser | binary-parser | 0, 0 |
| npm | binary-parser | 0, 0 |
| keichi | binary-parser | 0, 0 |
Timeline
- Jan 20, 2026 CVE Published
- Jan 21, 2026 CVE Updated
- Jan 21, 2026 EPSS Score
- Jan 21, 2026 PoC Published
- Jan 21, 2026 PoC Published
- Jan 21, 2026 PoC Published
- Jan 21, 2026 PoC Published
- Jan 22, 2026 PoC Published
- Jan 22, 2026 PoC Published
- Jan 24, 2026 EPSS Score
- Jan 26, 2026 EPSS Score
- Jan 26, 2026 PoC Published
References
- https://github.com/keichi/binary-parser/pull/283 url
- https://github.com/keichi/binary-parser url
- https://www.npmjs.com/package/binary-parser url
- https://kb.cert.org/vuls/id/102648 url
- https://www.kb.cert.org/vuls/id/102648 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-1245 advisory
- https://www.cve.org/CVERecord?id=CVE-2026-1245 url