CVE-2025-54128

EPSS 0.17%

NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting

Published: 7/21/2025Modified: 7/21/2025

Description

### Summary The NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application because it does not protect against cross-site-scripting attacks. ### Details The `contentSecurityPolicy` value is explicitly disabled in the application's Helmet configuration in `app.js`. ![permissive-csp-code](https://github.com/user-attachments/assets/8ec6c63c-9f9f-413e-be7e-ed14913da91c) #### Affected Resources - [app.js:52](https://github.com/haxtheweb/haxcms-nodejs/blob/b1f95880b42fea6ed07855b5804b29b182ec5e07/src/app.js#L52) ### PoC To reproduce this vulnerability, [install](https://github.com/haxtheweb/haxcms-nodejs) HAX CMS NodeJS. The application will load without a CSP configured. ### Impact In conjunction with an XSS vulnerability, an attacker could execute arbitrary scripts and exfiltrate data, including session tokens and sensitive local data. #### Additional Information - [OWASP: Content Security Policy](https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html)

Affected packages (1)

npm/@haxtheweb/haxcms-nodejsfrom 0, < 11.0.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:L/SI:L/SA:N

Description

Affected packages (1)

CVSS scores

References (4)