CVE-2025-54127

EPSS 0.30%

NodeJS version of HAX CMS Has Insecure Default Configuration That Leads to Unauthenticated Access

Published: 7/21/2025Modified: 7/21/2025

Description

### Summary The NodeJS version of HAX CMS uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authentication checks. ### Details If a user were to deploy haxcms-nodejs without modifying the default settings, ‘HAXCMS_DISABLE_JWT_CHECKS‘ would be set to ‘true‘ and their deployment would lack session authentication. ![insecure-default-configuration-code](https://github.com/user-attachments/assets/af58b08a-8a26-4ef5-8deb-e6e9d4efefaa) #### Affected Resources - [package.json:13](https://github.com/haxtheweb/haxcms-nodejs/blob/a4d2f18341ff63ad2d97c35f9fc21af8b965248b/package.json#L13) ### PoC To reproduce this vulnerability, [install](https://github.com/haxtheweb/haxcms-nodejs) HAX CMS NodeJS. The application will load without JWT checks enabled. ### Impact Without security checks in place, an unauthenticated remote attacker could access, modify, and delete all site information.

Affected packages (1)

npm/@haxtheweb/haxcms-nodejsfrom 0, < 11.0.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Affected packages (1)

CVSS scores

References (3)