The “Eval” Inside: Deconstructing CVE-2026-1245 in Node.js Binary-Parser and the Risk of Dynamic Code Generation

The Silent Compiler in Your Dependency Tree

In January 2026, the Node.js ecosystem was hit by yet another reminder that performance optimizations often come at the cost of security. CVE-2026-1245 (CVSS 6.5 – High) was disclosed in binary-parser, a foundational library downloaded millions of times weekly for parsing binary data structures.

For the hardcore security engineer, this isn’t just another npm audit fix moment. It is a masterclass in Sink Injection. The vulnerability stems from a design pattern that is prevalent in high-performance JavaScript but inherently dangerous: using new Function()—a cousin of eval—to compile performant parsers at runtime.

While most defenses focus on SQL Injection or XSS, CVE-2026-1245 exposes how unvalidated inputs in backend libraries can lead to full Exécution de code à distance (RCE) when user-controlled data leaks into code generation logic.

Anatomy of the Vulnerability: When Strings Become Code

Les binary-parser library is designed to be blazing fast. To achieve this, it avoids the overhead of interpreting a parsing schema for every packet. Instead, it dynamically generates JavaScript code strings that represent the parsing logic and then compiles them into executable functions using the Fonction constructeur.

The Flaw: Unsanitized JIT Compilation

The vulnerability exists because the library allowed user-supplied inputs—specifically field names ou encoding types—to be interpolated directly into the generated code string without sufficient sanitization.

If an attacker can control the schema definition (e.g., in a dynamic system where users define how to parse a custom file format), they can inject malicious JavaScript that breaks out of the generated function’s syntax.

Vulnerable Logic (Conceptual Representation):

JavaScript

// Conceptual representation of the vulnerable code generation in binary-parser < 2.3.0 function compileParser(fieldName, type) { // DANGER: fieldName is concatenated directly into the code string // The library assumes fieldName is a safe identifier like "headerLength" let code = this.vars.${fieldName} = buffer.read${type}(); return this.vars; `;

// The sink: Compiling the string into executable code
// This is functionally equivalent to eval()
return new Function('buffer', code);

}`

In the simplified example above, if fieldName is strictly alphanumeric, the code works as intended. But if fieldName contains malicious syntax, the JIT compiler executes it.

The Exploit Mechanism: Breaking the Context

To exploit CVE-2026-1245, an attacker needs to supply a payload that effectively “closes” the existing assignment statement and “opens” a new malicious one.

Attack Vector Scenario:

Imagine a SaaS platform that allows developers to upload a JSON configuration file to parse IoT device logs. The platform uses binary-parser to process these definitions.

Payload Example:

If the attacker sets the fieldName in their JSON config to:

test; require('child_process').exec('rm -rf /'); //

The dynamically generated code becomes:

JavaScript

// The resulting malicious code string compiled by the server this.vars.test; // The injected payload executes with the privileges of the Node.js process require('child_process').exec('rm -rf /'); // = buffer.readInt8(); return this.vars;

Quand new Function() executes this string, the Node.js process executes the shell command. This is a classic Code Injection (CWE-94).

Technical Impact Breakdown

Why Traditional Scanners Missed This

This vulnerability highlights a critical gap in traditional Static Application Security Testing (SAST) des outils.

1. Context Loss: SAST tools often see new Function() and flag it as a generic “Unsafe Use of Eval” warning. However, developers often suppress these warnings in parser libraries, arguing it’s necessary for performance. SAST tools struggle to determine if the variable entering the function is entaché (user-controlled) or safe (hardcoded).
2. Indirect Dependencies: Most developers don’t use binary-parser directly; it is buried deep in the dependency tree of other protocol parsers (like video processors, network packet analyzers, etc.). A scan of votre code won’t find the vulnerability in node_modules.

The AI Advantage: Tracing the Taint

This is where the security paradigm is shifting toward AI-driven Dynamic Analysis.

Au Penligent.ai, we trained our automated pentesting agents to recognize these specific “Data-to-Code” patterns. Unlike a regex-based scanner that just looks for bad keywords, Penligent’s AI understands the execution flow.

When Penligent scans an application using a vulnerable version of binary-parser:

1. Code Understanding: The Agent identifies that the application accepts a configuration object (e.g., a file structure definition) and maps how that object flows through the application.
2. Hypothesis Generation: The Agent hypothesizes: “If I modify the field name in this upload, does it eventually reach a compilation sink like new Function?”
3. Payload Crafting: Instead of blindly fuzzing, the Agent constructs a “safe” probe (e.g., console.log('Penligent_Check')) to test for injection capability without crashing the server.
4. Vérification : It validates that the sink (new Function) actually executed the payload, confirming CVE-2026-1245 exploitability with zero false positives.

This level of contextual awareness—understanding that données devient code—is why AI agents are becoming essential for modern red teaming.

Remédiation et défense

The immediate fix is straightforward, but the architectural lesson is vital for any engineer working with Node.js.

1. Patching:

Mise à niveau binary-parser à version 2.3.0 or later immediately. The patch introduces strict validation for field names and types, ensuring they only contain safe characters before code generation.

Le cambriolage

npm install binary-parser@latest npm audit fix

2. Architecture Review:

If you are maintaining internal libraries, audit your codebase for eval(), new Function()et setTimeout(string). In 2026, dynamic code generation should be a “break glass” emergency measure, not a standard performance optimization. Modern V8 engines are highly optimized; the performance gain from new Function is often negligible compared to the massive security risk.

3. Input Sanitization:

Ensure that any input used to define logical structures (schemas, graph queries, parser configs) is strictly allow-listed. Never allow a user to define a key name that isn’t validated against a regex like /^[a-zA-Z0-9_]+$/.

Conclusion

CVE-2026-1245 is a stark reminder that the “supply chain” isn’t just about malicious packages—it’s about the inherent fragility of the libraries we trust. A single unchecked string interpolation in a parser can turn a data processing pipeline into a remote shell.

As we move forward, relying solely on npm audit is insufficient. We need intelligent, active verification systems like Penligent.ai that act as a continuous, automated red team, probing the deeper logic flaws that static tools simply cannot see.

Références et liens d'autorité :

• The Hacker News: binary-parser Bug Allows Code Execution
• Snyk Vulnerability DB: Arbitrary Code Injection in binary-parser
• Penligent.ai: The Future of AI-Driven Pentesting
• MDN Web Docs: Security Guidelines for ‘new Function’
• CWE-94: Improper Control of Generation of Code (‘Code Injection’)