CVE-2025-54127 – @haxtheweb/haxcms-nodejs

Package

Manager: npm
Name: @haxtheweb/haxcms-nodejs
Vulnerable Version: >=0 <11.0.7

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00073 pctl0.22701

Details

NodeJS version of HAX CMS Has Insecure Default Configuration That Leads to Unauthenticated Access ### Summary The NodeJS version of HAX CMS uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authentication checks. ### Details If a user were to deploy haxcms-nodejs without modifying the default settings, ‘HAXCMS_DISABLE_JWT_CHECKS‘ would be set to ‘true‘ and their deployment would lack session authentication.  #### Affected Resources - [package.json:13](https://github.com/haxtheweb/haxcms-nodejs/blob/a4d2f18341ff63ad2d97c35f9fc21af8b965248b/package.json#L13) ### PoC To reproduce this vulnerability, [install](https://github.com/haxtheweb/haxcms-nodejs) HAX CMS NodeJS. The application will load without JWT checks enabled. ### Impact Without security checks in place, an unauthenticated remote attacker could access, modify, and delete all site information.

Metadata

Created: 2025-07-21T19:48:58Z
Modified: 2025-07-21T22:21:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-f38f-jvqj-mfg6/GHSA-f38f-jvqj-mfg6.json
CWE IDs: ["CWE-1188"]
Alternative ID: GHSA-f38f-jvqj-mfg6
Finding: F164
Auto approve: 1