The binary-parser npm library, a popular JavaScript parser builder used to parse binary data, suffers from a severe security vulnerability identified as CVE-2026-1245. The vulnerability stems from the library’s use of JavaScript's Function constructor to dynamically generate parsing code at runtime. Specifically, user-supplied values such as parser field names and encoding parameters are not properly sanitized before being embedded into dynamically generated code strings. This lack of input validation allows an attacker to inject arbitrary JavaScript code that executes with the same privileges as the Node.js process running the application. The vulnerability affects all versions of binary-parser prior to 2.3.0, which introduced patches to properly sanitize inputs and prevent code injection. The binary-parser library is widely used, with approximately 13,000 weekly downloads, making the attack surface significant. Exploitation requires that applications build parser definitions dynamically using untrusted input; applications using static, hard-coded parser definitions are not vulnerable. If exploited, attackers could gain the ability to execute arbitrary commands, access sensitive local data, or alter application logic, potentially leading to full system compromise depending on deployment context. The CERT Coordination Center (CERT/CC) issued an advisory highlighting the risk and recommending immediate upgrades. No public exploits have been observed in the wild yet, but the vulnerability’s nature and ease of exploitation warrant urgent attention from developers and security teams.

For European organizations, the impact of this vulnerability can be substantial, especially for those relying on Node.js applications that utilize the binary-parser library with dynamic parser definitions. Exploitation could lead to unauthorized code execution, resulting in data breaches, system manipulation, or lateral movement within networks. This is particularly critical for sectors handling sensitive or regulated data such as finance, healthcare, and government services. The ability to execute arbitrary code at the Node.js process level could allow attackers to bypass application-level controls, access confidential information, or disrupt service availability. Given the widespread use of Node.js in web services and backend systems across Europe, the vulnerability poses a risk to a broad range of enterprises and public sector organizations. Additionally, supply chain risks exist if third-party applications or libraries incorporate vulnerable versions of binary-parser. The absence of known exploits in the wild currently reduces immediate risk but does not diminish the potential for targeted attacks or future exploitation campaigns.

European organizations should immediately upgrade all instances of the binary-parser library to version 2.3.0 or later to ensure the vulnerability is patched. Developers must audit their codebases to identify any dynamic parser definitions that incorporate user-controlled inputs and refactor them to use static, hard-coded definitions wherever possible. Implement strict input validation and sanitization for all parser-related parameters to prevent injection of malicious code. Conduct thorough code reviews and static analysis focusing on dynamic code generation patterns, especially those using the Function constructor or eval-like functions. Employ runtime application self-protection (RASP) or behavior monitoring to detect anomalous code execution patterns. Organizations should also review their software supply chains to identify and remediate vulnerable dependencies. Finally, maintain vigilant monitoring for unusual activity in Node.js processes and apply principle of least privilege to limit the potential impact of any exploitation.