CVE-2025-54127
NodeJS version of HAX CMS Has Insecure Default Configuration That Leads to Unauthenticated Access
Description
### Summary The NodeJS version of HAX CMS uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authentication checks. ### Details If a user were to deploy haxcms-nodejs without modifying the default settings, ‘HAXCMS_DISABLE_JWT_CHECKS‘ would be set to ‘true‘ and their deployment would lack session authentication.  #### Affected Resources - [package.json:13](https://github.com/haxtheweb/haxcms-nodejs/blob/a4d2f18341ff63ad2d97c35f9fc21af8b965248b/package.json#L13) ### PoC To reproduce this vulnerability, [install](https://github.com/haxtheweb/haxcms-nodejs) HAX CMS NodeJS. The application will load without JWT checks enabled. ### Impact Without security checks in place, an unauthenticated remote attacker could access, modify, and delete all site information.
How to fix CVE-2025-54127
To remediate CVE-2025-54127, upgrade the affected package to a fixed version below.
- —upgrade to 11.0.7 or later
Is CVE-2025-54127 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 11.0.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |