CVE-2025-48996
📋 TL;DR
An unauthenticated information disclosure vulnerability in HAX open-apis allows remote attackers to retrieve a full list of PSU websites hosted on HAX CMS. This affects Penn State University deployments using open-apis versions up to 10.0.2. When combined with other authorization issues, this could facilitate targeted attacks like unauthorized content modification.
💻 Affected Systems
- HAX open-apis
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers combine this information disclosure with other vulnerabilities (like HAX-3) to perform unauthorized content modification or deletion across multiple websites.
Likely Case
Attackers gather intelligence about PSU websites hosted on HAX CMS for reconnaissance and potential targeted attacks.
If Mitigated
Information disclosure limited to website enumeration without ability to modify content.
🎯 Exploit Status
Direct API call to haxPsuUsage endpoint without authentication required. Chaining with other vulnerabilities increases impact.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 06c2e1fbb7131a8fe66aa0600f38dcacae6b7ac7
Vendor Advisory: https://github.com/haxtheweb/issues/security/advisories/GHSA-fvx2-x7ff-fc56
Restart Required: Yes
Instructions:
1. Update HAX open-apis to version after commit 06c2e1fbb7131a8fe66aa0600f38dcacae6b7ac7. 2. Restart affected services. 3. Verify the haxPsuUsage endpoint now requires proper authentication.
🔧 Temporary Workarounds
Block unauthenticated access to haxPsuUsage endpoint
allConfigure web server or firewall to block unauthenticated requests to the vulnerable API endpoint
# Example for nginx: location ~* /haxPsuUsage { deny all; }
# Example for Apache: <Location /haxPsuUsage> Require valid-user </Location>
🧯 If You Can't Patch
- Implement strict network segmentation to isolate HAX CMS from untrusted networks
- Deploy WAF rules to block unauthenticated requests to haxPsuUsage endpoint
🔍 How to Verify
Check if Vulnerable:
Send unauthenticated GET request to /haxPsuUsage endpoint. If it returns website list without authentication, system is vulnerable.Check Version:
Check package.json or version file in open-apis installation directoryVerify Fix Applied:
Attempt unauthenticated GET request to /haxPsuUsage endpoint. Should return authentication error or 403 Forbidden.📡 Detection & Monitoring
Log Indicators:
- Unusual volume of requests to /haxPsuUsage endpoint
- Unauthenticated requests to /haxPsuUsage returning 200 OK
Network Indicators:
- Unusual traffic patterns to HAX CMS API endpoints from external IPs
SIEM Query:
source="web_server" AND (uri="/haxPsuUsage" OR uri="/api/haxPsuUsage") AND response_code=200 AND user="-"