Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS01ZnB2LTVxdmgtN2NmM84ABKWM

High EPSS: 0.00078% (0.23933 Percentile) EPSS:
Permalink JSON

NodeJS version of the HAX CMS application is distributed with Default Secrets

Affected Packages Affected Versions Fixed Versions
npm:@haxtheweb/haxcms-nodejs < 11.0.10 11.0.10
0 Dependent packages
0 Dependent repositories
1,590 Downloads last month

Affected Version Ranges

All affected versions

0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.0.13, 0.0.14, 0.0.15, 0.0.16, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.0.11, 9.0.12, 9.0.13, 9.0.14, 9.0.15, 9.0.16, 9.0.17, 9.0.18, 9.0.19, 9.0.20, 9.0.21, 10.0.0, 10.0.1, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.6, 11.0.7, 11.0.8, 11.0.9

All unaffected versions

11.0.10, 11.0.11, 11.0.12, 11.0.13, 11.0.14, 11.0.15

Summary

The NodeJS version of the HAX CMS application is distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys for JWTs. Users aren't prompted to change credentials or secrets during installation, and there is no way to change them through the UI.

Affected Resources

Impact

An unauthenticated attacker can read the default user credentials and JWT private keys from the public haxtheweb GitHub repositories. These credentials and keys can be used to access unconfigured self-hosted instances of the application, modify sites, and perform further attacks.

References:

Identifiers

GHSA-5fpv-5qvh-7cf3

CVE-2025-54137

Risk

Severity

High

EPSS

EPSS Percentage: 0.00078

EPSS Percentile: 0.23933

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/haxtheweb/issues

Date and time

Published

8 days ago

Updated

6 days ago

API

JSON