CVE-2025-54134

HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.8 and below, the HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFiles and saveFiles endpoints. This vulnerability exists because the application does not properly handle exceptions which occur as a result of changes to user-modifiable URL parameters. This is fixed in version 11.0.9.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/listFiles.js#L22	Product
https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/saveFile.js#L52	Product
https://github.com/haxtheweb/haxcms-nodejs/commit/e9773d1996233f9bafb06832b8220ec2a98bab34	Patch
https://github.com/haxtheweb/issues/security/advisories/GHSA-pjj3-j5j6-qj27	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:psu:haxcms-nodejs:*:*:*:*:*:node.js:*:*

History

30 Jul 2025, 17:07

Type	Values Removed	Values Added
First Time		Psu haxcms-nodejs Psu
CPE		cpe:2.3:a:psu:haxcms-nodejs::::::node.js::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
References	~~() https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/listFiles.js#L22 -~~	() https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/listFiles.js#L22 - Product
References	~~() https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/saveFile.js#L52 -~~	() https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/saveFile.js#L52 - Product
References	~~() https://github.com/haxtheweb/haxcms-nodejs/commit/e9773d1996233f9bafb06832b8220ec2a98bab34 -~~	() https://github.com/haxtheweb/haxcms-nodejs/commit/e9773d1996233f9bafb06832b8220ec2a98bab34 - Patch
References	~~() https://github.com/haxtheweb/issues/security/advisories/GHSA-pjj3-j5j6-qj27 -~~	() https://github.com/haxtheweb/issues/security/advisories/GHSA-pjj3-j5j6-qj27 - Third Party Advisory

22 Jul 2025, 13:05

Type	Values Removed	Values Added
Summary		(es) HAX CMS NodeJS permite a los usuarios gestionar su universo de micrositios con un backend NodeJS. En las versiones 11.0.8 y anteriores, la aplicación HAX CMS NodeJS se bloquea cuando un atacante autenticado proporciona una solicitud de API sin los parámetros de URL requeridos. Esta vulnerabilidad afecta a los endpoints listFiles y saveFiles. Esta vulnerabilidad existe porque la aplicación no gestiona correctamente las excepciones que se producen como resultado de cambios en los parámetros de URL modificables por el usuario. Esto se ha corregido en la versión 11.0.9.

21 Jul 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-21 21:15

Updated : 2025-07-30 17:07

NVD link : CVE-2025-54134

Mitre link : CVE-2025-54134

CVE.ORG link : CVE-2025-54134

JSON object : View

Products Affected

psu

haxcms-nodejs

CWE

CWE-20

Improper Input Validation

CWE-248

Uncaught Exception

CWE-703

Improper Check or Handling of Exceptional Conditions

6.5 /10