CVE-2025-54128

Description

### Summary The NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application because it does not protect against cross-site-scripting attacks. ### Details The `contentSecurityPolicy` value is explicitly disabled in the application's Helmet configuration in `app.js`.  #### Affected Resources - [app.js:52](https://github.com/haxtheweb/haxcms-nodejs/blob/b1f95880b42fea6ed07855b5804b29b182ec5e07/src/app.js#L52) ### PoC To reproduce this vulnerability, [install](https://github.com/haxtheweb/haxcms-nodejs) HAX CMS NodeJS. The application will load without a CSP configured. ### Impact In conjunction with an XSS vulnerability, an attacker could execute arbitrary scripts and exfiltrate data, including session tokens and sensitive local data. #### Additional Information - [OWASP: Content Security Policy](https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html)

How to fix CVE-2025-54128

To remediate CVE-2025-54128, upgrade the affected package to a fixed version below.

• —upgrade to 11.0.8 or later

Is CVE-2025-54128 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 11.0.8

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-54128
• PATCHgithub.com/haxtheweb/haxcms-nodejs
• WEBgithub.com/haxtheweb/haxcms-nodejs/commit/ddb9351c6d6418008d4084a5b17fd6d611bc4e30
• WEBgithub.com/haxtheweb/issues/security/advisories/GHSA-59g8-h59f-8hjp