CVE-2025-54134

HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.8 and below, the HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFiles and saveFiles endpoints. This vulnerability exists because the application does not properly handle exceptions which occur as a result of changes to user-modifiable URL parameters. This is fixed in version 11.0.9.

CVSS

No CVSS.

References

Link	Resource
https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/listFiles.js#L22
https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/saveFile.js#L52
https://github.com/haxtheweb/haxcms-nodejs/commit/e9773d1996233f9bafb06832b8220ec2a98bab34
https://github.com/haxtheweb/issues/security/advisories/GHSA-pjj3-j5j6-qj27

Configurations

No configuration.

History

22 Jul 2025, 13:05

Type	Values Removed	Values Added
Summary		(es) HAX CMS NodeJS permite a los usuarios gestionar su universo de micrositios con un backend NodeJS. En las versiones 11.0.8 y anteriores, la aplicación HAX CMS NodeJS se bloquea cuando un atacante autenticado proporciona una solicitud de API sin los parámetros de URL requeridos. Esta vulnerabilidad afecta a los endpoints listFiles y saveFiles. Esta vulnerabilidad existe porque la aplicación no gestiona correctamente las excepciones que se producen como resultado de cambios en los parámetros de URL modificables por el usuario. Esto se ha corregido en la versión 11.0.9.

21 Jul 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-21 21:15

Updated : 2025-07-22 13:05

NVD link : CVE-2025-54134

Mitre link : CVE-2025-54134

CVE.ORG link : CVE-2025-54134

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

CWE-248

Uncaught Exception

CWE-703

Improper Check or Handling of Exceptional Conditions

{"id": "CVE-2025-54134", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-21T21:15:26.863", "references": [{"url": "https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/listFiles.js#L22", "source": "security-advisories@github.com"}, {"url": "https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/saveFile.js#L52", "source": "security-advisories@github.com"}, {"url": "https://github.com/haxtheweb/haxcms-nodejs/commit/e9773d1996233f9bafb06832b8220ec2a98bab34", "source": "security-advisories@github.com"}, {"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-pjj3-j5j6-qj27", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-248"}, {"lang": "en", "value": "CWE-703"}]}], "descriptions": [{"lang": "en", "value": "HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.8 and below, the HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFiles and saveFiles endpoints. This vulnerability exists because the application does not properly handle exceptions which occur as a result of changes to user-modifiable URL parameters. This is fixed in version 11.0.9."}, {"lang": "es", "value": "HAX CMS NodeJS permite a los usuarios gestionar su universo de micrositios con un backend NodeJS. En las versiones 11.0.8 y anteriores, la aplicaci\u00f3n HAX CMS NodeJS se bloquea cuando un atacante autenticado proporciona una solicitud de API sin los par\u00e1metros de URL requeridos. Esta vulnerabilidad afecta a los endpoints listFiles y saveFiles. Esta vulnerabilidad existe porque la aplicaci\u00f3n no gestiona correctamente las excepciones que se producen como resultado de cambios en los par\u00e1metros de URL modificables por el usuario. Esto se ha corregido en la versi\u00f3n 11.0.9."}], "lastModified": "2025-07-22T13:05:40.573", "sourceIdentifier": "security-advisories@github.com"}