Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS01OWc4LWg1OWYtOGhqcM4ABKWK

High CVSS: 7.2 EPSS: 0.00062% (0.19571 Percentile) EPSS:
Permalink JSON

NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting

Affected Packages Affected Versions Fixed Versions
npm:@haxtheweb/haxcms-nodejs <= 11.0.7 11.0.8
0 Dependent packages
0 Dependent repositories
1,590 Downloads last month

Affected Version Ranges

All affected versions

0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.0.13, 0.0.14, 0.0.15, 0.0.16, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.0.11, 9.0.12, 9.0.13, 9.0.14, 9.0.15, 9.0.16, 9.0.17, 9.0.18, 9.0.19, 9.0.20, 9.0.21, 10.0.0, 10.0.1, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.6, 11.0.7

All unaffected versions

11.0.8, 11.0.9, 11.0.10, 11.0.11, 11.0.12, 11.0.13, 11.0.14, 11.0.15

Summary

The NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application because it does not protect against cross-site-scripting attacks.

Details

The contentSecurityPolicy value is explicitly disabled in the application's Helmet configuration in app.js.

permissive-csp-code

Affected Resources

PoC

To reproduce this vulnerability, install HAX CMS NodeJS. The application will load without a CSP configured.

Impact

In conjunction with an XSS vulnerability, an attacker could execute arbitrary scripts and exfiltrate data, including session tokens and sensitive local data.

Additional Information

References:

Identifiers

GHSA-59g8-h59f-8hjp

CVE-2025-54128

Risk

Severity

High

CVSS

CVSS Score: 7.2

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:L/SI:L/SA:N

EPSS

EPSS Percentage: 0.00062

EPSS Percentile: 0.19571

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/haxtheweb/issues

Date and time

Published

8 days ago

Updated

7 days ago

API

JSON