CVE-2025-54134
📋 TL;DR
HAX CMS NodeJS versions 11.0.8 and below crash when authenticated attackers send API requests missing required URL parameters to listFiles and saveFiles endpoints. This denial-of-service vulnerability affects systems running vulnerable HAX CMS NodeJS installations. The crash occurs due to improper exception handling when user-modifiable URL parameters are missing.
💻 Affected Systems
- HAX CMS NodeJS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption making HAX CMS NodeJS backend unavailable, potentially affecting all microsite management functionality until service restart.
Likely Case
Targeted denial-of-service attacks causing intermittent service crashes and availability issues for HAX CMS users.
If Mitigated
Minimal impact with proper input validation and error handling in place; service remains available with graceful error responses.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple - sending malformed API requests to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.0.9
Vendor Advisory: https://github.com/haxtheweb/issues/security/advisories/GHSA-pjj3-j5j6-qj27
Restart Required: Yes
Instructions:
1. Backup current installation. 2. Update HAX CMS NodeJS to version 11.0.9 or later. 3. Restart the Node.js service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation Middleware
allAdd middleware to validate required URL parameters before reaching vulnerable endpoints
// Add parameter validation in Express middleware
app.use('/api/listFiles', validateParams(['requiredParam1', 'requiredParam2']));
app.use('/api/saveFile', validateParams(['requiredParam1', 'requiredParam2']));
Rate Limiting
allImplement rate limiting on API endpoints to limit impact of repeated exploitation attempts
npm install express-rate-limit
const rateLimit = require('express-rate-limit');
const apiLimiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 100
});
app.use('/api/', apiLimiter);
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block malformed API requests missing required parameters
- Restrict API access to trusted IP addresses only and implement stricter authentication requirements
🔍 How to Verify
Check if Vulnerable:
Check package.json for HAX CMS NodeJS version; if version is 11.0.8 or below, system is vulnerableCheck Version:
grep '"version"' package.json | head -1Verify Fix Applied:
After updating to 11.0.9+, test API endpoints with missing parameters; should return proper error responses instead of crashing📡 Detection & Monitoring
Log Indicators:
- Node.js process crashes/restarts
- Error logs showing unhandled exceptions in listFiles or saveFiles routes
- Repeated API requests with missing parameters from same authenticated user
Network Indicators:
- HTTP 500 responses from /api/listFiles or /api/saveFile endpoints
- Sudden service unavailability following API requests
SIEM Query:
source="application.log" AND ("listFiles" OR "saveFile") AND ("unhandled exception" OR "crash" OR "process exit")🔗 References
- https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/listFiles.js#L22
- https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/saveFile.js#L52
- https://github.com/haxtheweb/haxcms-nodejs/commit/e9773d1996233f9bafb06832b8220ec2a98bab34
- https://github.com/haxtheweb/issues/security/advisories/GHSA-pjj3-j5j6-qj27
