GHSA-F38F-JVQJ-MFG6

Vulnerability from github – Published: 2025-07-21 19:48 – Updated: 2025-07-21 22:21
VLAI?
Summary
NodeJS version of HAX CMS Has Insecure Default Configuration That Leads to Unauthenticated Access
Details

Summary

The NodeJS version of HAX CMS uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authentication checks.

Details

If a user were to deploy haxcms-nodejs without modifying the default settings, ‘HAXCMS_DISABLE_JWT_CHECKS‘ would be set to ‘true‘ and their deployment would lack session authentication.

insecure-default-configuration-code

Affected Resources

PoC

To reproduce this vulnerability, install HAX CMS NodeJS. The application will load without JWT checks enabled.

Impact

Without security checks in place, an unauthenticated remote attacker could access, modify, and delete all site information.

Severity ?
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 11.0.6"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@haxtheweb/haxcms-nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54127"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-21T19:48:58Z",
    "nvd_published_at": "2025-07-21T21:15:26Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nThe NodeJS version of HAX CMS uses an insecure default configuration designed for local\ndevelopment. The default configuration does not perform authorization or authentication checks.\n\n### Details\nIf a user were to deploy haxcms-nodejs without modifying the default settings, \u2018HAXCMS_DISABLE_JWT_CHECKS\u2018 would be set to \u2018true\u2018 and their deployment would lack session authentication. \n\n![insecure-default-configuration-code](https://github.com/user-attachments/assets/af58b08a-8a26-4ef5-8deb-e6e9d4efefaa)\n\n#### Affected Resources\n- [package.json:13](https://github.com/haxtheweb/haxcms-nodejs/blob/a4d2f18341ff63ad2d97c35f9fc21af8b965248b/package.json#L13)\n\n### PoC\nTo reproduce this vulnerability, [install](https://github.com/haxtheweb/haxcms-nodejs) HAX CMS NodeJS. The application will load without JWT checks enabled. \n\n### Impact\nWithout security checks in place, an unauthenticated remote attacker could access, modify, and delete all site information.",
  "id": "GHSA-f38f-jvqj-mfg6",
  "modified": "2025-07-21T22:21:21Z",
  "published": "2025-07-21T19:48:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-f38f-jvqj-mfg6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54127"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/haxtheweb/haxcms-nodejs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "NodeJS version of HAX CMS Has Insecure Default Configuration That Leads to Unauthenticated Access"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.