Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2025-54137

HIGH
Published 2025-07-22T21:34:20.201Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2025-54137. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
7.3
/10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score Metrics
Exploitability: N/A Impact: N/A

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED

Impact Metrics

Confidentiality
LOW
Integrity
LOW
Availability
LOW

Description

HAX CMS NodeJS allows users to manage their microsite universe with a NodeJS backend. Versions 11.0.9 and below were distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys for JWTs. Users aren't prompted to change credentials or secrets during installation, and there is no way to change them through the UI. An unauthenticated attacker can read the default user credentials and JWT private keys from the public haxtheweb GitHub repositories. These credentials and keys can be used to access unconfigured self-hosted instances of the application, modify sites, and perform further attacks. This is fixed in version 11.0.10.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

haxtheweb

issues

Affected Versions:

< 11.0.10

EU Vulnerability Database

Monitored by ENISA for EU cybersecurity

EU Coordination

EU Coordinated

Exploitation Status

No Known Exploitation

EUVD ID

View on ENISA

ENISA Analysis

HAX CMS NodeJS allows users to manage their microsite universe with a NodeJS backend. Versions 11.0.9 and below were distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys for JWTs. Users aren't prompted to change credentials or secrets during installation, and there is no way to change them through the UI. An unauthenticated attacker can read the default user credentials and JWT private keys from the public haxtheweb GitHub repositories. These credentials and keys can be used to access unconfigured self-hosted instances of the application, modify sites, and perform further attacks. This is fixed in version 11.0.10.

Affected Products (ENISA)

haxtheweb
issues

ENISA Scoring

CVSS Score (3.1)

7.3
/10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score

0.060
probability

ENISA References

https://github.com/haxtheweb/issues/security/advisories/GHSA-5fpv-5qvh-7cf3
https://github.com/haxtheweb/haxcms-nodejs/commit/6dc2441c876350ca6fe9fbaecb058d92ef442869
https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/lib/HAXCMS.js#L1614

Data provided by ENISA EU Vulnerability Database. Last updated: July 23, 2025

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

NodeJS version of the HAX CMS application is distributed with Default Secrets

GHSA-5fpv-5qvh-7cf3

Advisory Details

### Summary The NodeJS version of the HAX CMS application is distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys for JWTs. Users aren't prompted to change credentials or secrets during installation, and there is no way to change them through the UI. ### Affected Resources - [HAXCMS.js](https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/lib/HAXCMS.js#L1614) HAXCMSClass ### Impact An unauthenticated attacker can read the default user credentials and JWT private keys from the public haxtheweb GitHub repositories. These credentials and keys can be used to access unconfigured self-hosted instances of the application, modify sites, and perform further attacks.

Affected Packages

npm @haxtheweb/haxcms-nodejs
ECOSYSTEM: ≥0 <11.0.10

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

WEB https://github.com/haxtheweb/issues/security/advisories/GHSA-5fpv-5qvh-7cf3
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-54137
WEB https://github.com/haxtheweb/haxcms-nodejs/commit/6dc2441c876350ca6fe9fbaecb058d92ef442869
WEB https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/lib/HAXCMS.js#L1614
PACKAGE https://github.com/haxtheweb/issues

Advisory provided by GitHub Security Advisory Database. Published: July 21, 2025, Modified: July 23, 2025

References

https://github.com/haxtheweb/issues/security/advisories/GHSA-5fpv-5qvh-7cf3
https://github.com/haxtheweb/haxcms-nodejs/commit/6dc2441c876350ca6fe9fbaecb058d92ef442869
https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/lib/HAXCMS.js#L1614
Published: 2025-07-22T21:34:20.201Z
Last Modified: 2025-07-23T18:27:54.073Z
Copied to clipboard!