CVE-2026-1245

Опубликовано: 20 янв. 2026

Источник: nvd

CVSS3: 6.5

EPSS Низкий

Описание

A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process.

Ссылки

https://github.com/keichi/binary-parser
Product
https://github.com/keichi/binary-parser/pull/283
Patch
https://kb.cert.org/vuls/id/102648
Third Party Advisory
https://www.npmjs.com/package/binary-parser
Product
https://www.kb.cert.org/vuls/id/102648
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:keichi:binary-parser:*:*:*:*:*:node.js:*:*

Версия до 2.3.0 (исключая)

EPSS

Процентиль: 20%

0.00063

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-94

Связанные уязвимости

GHSA-m39p-34qh-rh3w