CVE-2025-54128 – @haxtheweb/haxcms-nodejs

Package

Manager: npm
Name: @haxtheweb/haxcms-nodejs
Vulnerable Version: >=0 <11.0.8

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:H/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:L/SI:L/SA:N

EPSS: 0.00034 pctl0.08383

Details

NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting ### Summary The NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application because it does not protect against cross-site-scripting attacks. ### Details The `contentSecurityPolicy` value is explicitly disabled in the application's Helmet configuration in `app.js`.  #### Affected Resources - [app.js:52](https://github.com/haxtheweb/haxcms-nodejs/blob/b1f95880b42fea6ed07855b5804b29b182ec5e07/src/app.js#L52) ### PoC To reproduce this vulnerability, [install](https://github.com/haxtheweb/haxcms-nodejs) HAX CMS NodeJS. The application will load without a CSP configured. ### Impact In conjunction with an XSS vulnerability, an attacker could execute arbitrary scripts and exfiltrate data, including session tokens and sensitive local data. #### Additional Information - [OWASP: Content Security Policy](https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html)

Metadata

Created: 2025-07-21T19:51:14Z
Modified: 2025-07-21T22:21:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-59g8-h59f-8hjp/GHSA-59g8-h59f-8hjp.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-59g8-h59f-8hjp
Finding: F425
Auto approve: 1