CVE-2025-54134

MEDIUM

PSU Haxcms-nodejs < 11.0.9 - Improper Input Validation

Title source: rule

Description

HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.8 and below, the HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFiles and saveFiles endpoints. This vulnerability exists because the application does not properly handle exceptions which occur as a result of changes to user-modifiable URL parameters. This is fixed in version 11.0.9.

References (4)

[Third Party Advisory] https://github.com/haxtheweb/issues/security/advisories/GHSA-pjj3-j5j6-qj27

[Patch] https://github.com/haxtheweb/haxcms-nodejs/commit/e9773d1996233f9bafb06832b8220ec2a98bab34

[Product] https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/listFiles.js#L22

[Product] https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/saveFile.js#L52

View Writeup ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0008

EPSS Percentile 23.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-248 CWE-20 CWE-703

Status published

Products (2)

haxtheweb/haxcms-nodejs 0 - 11.0.9npm

psu/haxcms-nodejs < 11.0.9

Published Jul 21, 2025

Tracked Since Feb 18, 2026