CVE-2025-54128 – HAX CMS NodeJS versions 11.0.7 and below have a... (How to Fix)

Q: What is the severity of CVE-2025-54128?

CVE-2025-54128 has a CVSS score of 6.1 (MEDIUM). HAX CMS NodeJS versions 11.0.7 and below have a disabled Content Security Policy (CSP), leaving the application vulnerable to cross-site scripting (XSS) attacks. This allows attackers to inject malicious scripts that could steal user data, hijack sessions, or deface websites. Anyone running HAX CMS NodeJS in production with affected versions is at risk.

📋 TL;DR

HAX CMS NodeJS versions 11.0.7 and below have a disabled Content Security Policy (CSP), leaving the application vulnerable to cross-site scripting (XSS) attacks. This allows attackers to inject malicious scripts that could steal user data, hijack sessions, or deface websites. Anyone running HAX CMS NodeJS in production with affected versions is at risk.

💻 Affected Systems

Products:

HAX CMS NodeJS

Versions: 11.0.7 and below

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the NodeJS version of HAX CMS, not other implementations. Vulnerability exists in default configuration.

📦 What is this software?

Haxcms Nodejs by Psu

View all CVEs affecting Haxcms Nodejs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute arbitrary JavaScript in users' browsers, leading to complete account takeover, data theft, or malware distribution to site visitors.

🟠

Likely Case

Attackers inject malicious scripts to steal session cookies or credentials, potentially compromising user accounts and sensitive data.

🟢

If Mitigated

With proper CSP enabled, script injection attempts would be blocked by the browser, preventing successful XSS exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS exploitation is well-understood and CSP bypass techniques are widely documented, making weaponization likely even without public PoC.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.0.8

Vendor Advisory: https://github.com/haxtheweb/issues/security/advisories/GHSA-59g8-h59f-8hjp

Restart Required: Yes

Instructions:

1. Update HAX CMS NodeJS to version 11.0.8 or later. 2. Restart the NodeJS application. 3. Verify CSP headers are now present in HTTP responses.

🔧 Temporary Workarounds

Manually Enable CSP in app.js

all

Edit the Helmet configuration in app.js to enable Content Security Policy with appropriate directives.

Edit app.js and remove or modify the contentSecurityPolicy: false setting in Helmet configuration

🧯 If You Can't Patch

Implement a web application firewall (WAF) with XSS protection rules
Use reverse proxy to add CSP headers to responses

🔍 How to Verify

Check if Vulnerable:

Check app.js for 'contentSecurityPolicy: false' in Helmet configuration or verify version is 11.0.7 or below.

Check Version:

Check package.json for version or run 'npm list haxcms' in application directory

Verify Fix Applied:

Check HTTP response headers for Content-Security-Policy header and confirm version is 11.0.8 or above.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests with script tags or JavaScript payloads
Error logs showing CSP violation reports if monitoring enabled

Network Indicators:

HTTP responses missing Content-Security-Policy headers
Requests containing suspicious script injection patterns

SIEM Query:

http.response.headers NOT Content-Security-Policy AND (app_name="HAX CMS" OR user_agent contains "haxcms")

📊 Metadata

CVE ID: CVE-2025-54128

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (6.6th percentile)

Published: July 21, 2025

Last Updated: July 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54128, you might also want to check these: