binary-parser Code Injection Vulnerability Allowing Arbitrary Code Execution

A code injection vulnerability has been identified in the binary-parser library for Node.js, affecting versions prior to 2.3.0. This vulnerability allows the execution of arbitrary JavaScript code when untrusted input is used in parser field names or encoding parameters. The library dynamically generates parser code at runtime, incorporating these untrusted values without proper validation or sanitization. As a result, attackers can manipulate the generated code to execute malicious scripts within the Node.js process, potentially leading to unauthorized access to local data, manipulation of application logic, or execution of system commands, depending on the deployment environment.

Impact

Exploitation of this vulnerability could result in arbitrary code execution within the context of the Node.js process, allowing attackers to execute malicious JavaScript code with the same privileges as the Node.js application.

Reproduction

To reproduce this vulnerability, create a binary-parser instance and use untrusted input for field names or encoding parameters. When the parser is executed, the injected code will be executed in the Node.js environment.

Remediation

Users should upgrade to binary-parser version 2.3.0 or later, where input validation has been implemented to prevent this vulnerability. Additionally, developers should avoid using untrusted data in parser definitions.