CVE-2025-54128
published 2025-07-21CVE-2025-54128: HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.7 and below, the NodeJS version of HAX CMS has a…
PriorityP426medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.20%
10.2th percentile
HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.7 and below, the NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application because it does not protect against cross-site-scripting attacks. The contentSecurityPolicy value is explicitly disabled in the application's Helmet configuration in app.js. This is fixed in version 11.0.8.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| haxtheweb | haxcms-nodejs | >= 0 < 11.0.8 | 11.0.8 |
| haxtheweb | issues | < 11.0.8 | 11.0.8 |
| psu | haxcms-nodejs | < 11.0.8 | 11.0.8 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.07.2HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting
osv·2025-07-21
CVE-2025-54128 [HIGH] NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting
NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting
### Summary
The NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application because it does not protect against cross-site-scripting attacks.
### Details
The `contentSecurityPolicy` value is explicitly disabled in the application's Helmet configuration in `app.js`.
#### Affected Resources
- [app.js:52](https://github.com/haxtheweb/haxcms-nodejs/blob/b1f95880b42fea6ed07855b5804b29b182ec5e07/src/app.js#L52)
### PoC
To reproduce this vulnerability, [install](https://github.com/haxtheweb/haxcms-nodejs) HAX CMS NodeJS. The application will load without a CSP configured.
### Impact
In conjunction with an XSS vulnerability,
GHSA
NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting
ghsa·2025-07-21
CVE-2025-54128 [HIGH] CWE-79 NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting
NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting
### Summary
The NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application because it does not protect against cross-site-scripting attacks.
### Details
The `contentSecurityPolicy` value is explicitly disabled in the application's Helmet configuration in `app.js`.
#### Affected Resources
- [app.js:52](https://github.com/haxtheweb/haxcms-nodejs/blob/b1f95880b42fea6ed07855b5804b29b182ec5e07/src/app.js#L52)
### PoC
To reproduce this vulnerability, [install](https://github.com/haxtheweb/haxcms-nodejs) HAX CMS NodeJS. The application will load without a CSP configured.
### Impact
In conjunction with an XSS vulnerability,
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-07-21
Published