CVE-2025-54134

MEDIUM

PSU Haxcms-nodejs < 11.0.9 - Improper Input Validation

Title source: rule

Description

HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.8 and below, the HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFiles and saveFiles endpoints. This vulnerability exists because the application does not properly handle exceptions which occur as a result of changes to user-modifiable URL parameters. This is fixed in version 11.0.9.

References (4)

[Product] https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/listFiles.js#L22

[Product] https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/saveFile.js#L52

View Writeup ZIP pw:eip

[Patch] https://github.com/haxtheweb/haxcms-nodejs/commit/e9773d1996233f9bafb06832b8220ec2a98bab34

[Third Party Advisory] https://github.com/haxtheweb/issues/security/advisories/GHSA-pjj3-j5j6-qj27

Scores

CVSS v3 6.5

EPSS 0.0006

EPSS Percentile 19.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-248 CWE-20 CWE-703

Status published

Affected Products (2)

psu/haxcms-nodejs < 11.0.9

haxtheweb/haxcms-nodejs < 11.0.9npm

Timeline

Published Jul 21, 2025

Tracked Since Feb 18, 2026