VU#102648: Code Injection Vulnerability in binary-parser library
The binary-parser library for Node.js suffered from a code injection vulnerability. This vulnerability affected versions before 2.3.0 and could lead to arbitrary JavaScript execution. The library allowed for dynamic JavaScript code generation using the Function constructor. User-provided data, particularly field names and encoding parameters, were incorporated without proper sanitization. This lack of sanitization permitted attackers to inject malicious code through crafted inputs. Applications utilizing untrusted data in parser definitions were vulnerable to exploitation. Successful exploitation could grant attackers control over the Node.js process. The vendor addressed the issue by releasing version 2.3.0 with input validation. Users should upgrade to the patched version to mitigate the risk. Developers should avoid including untrusted data in parser definitions to prevent similar vulnerabilities. This vulnerability was identified by Maor Caplan and fixed by Keichi Takahashi.