ghsa-pjj3-j5j6-qj27
Vulnerability from github
Published
2025-07-21 19:52
Modified
2025-07-21 22:21
Severity ?
7.1 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Summary
HAX CMS NodeJS Application Has Improper Error Handling That Leads to Denial of Service
Details

Summary

The HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFiles and saveFiles endpoints.

Details

This vulnerability exists because the application does not properly handle exceptions which occur as a result of changes to user-modifiable URL parameters.

Affected Resources

listFiles.js:22 listFiles() • saveFile.js:52 saveFile() • system/api/listFiles • system/api/saveFile

PoC

  1. Targeting an instance of instance of HAX CMS NodeJS, send a request without parameters to listFiles or saveFiles. The following screenshot shows the request in Burp Suite. listfilesrequest

  2. The server will crash with ERR_INVALID_ARG_TYPE. listfilescrash

Impact

An authenticated attacker can deny access to the HAX CMS NodeJS application by crashing the backend server. This prevents all users from accessing the backend system. If the backend system is hosting websites, those websites will be unavailable.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@haxtheweb/haxcms-nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54134"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-248",
      "CWE-703"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-21T19:52:53Z",
    "nvd_published_at": "2025-07-21T21:15:26Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the `listFiles` and `saveFiles` endpoints.\n\n### Details\nThis vulnerability exists because the application does not properly handle exceptions which occur as a result of changes to user-modifiable URL parameters.\n\n#### Affected Resources\n\u2022 [listFiles.js:22](https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/listFiles.js#L22) listFiles()\n\u2022 [saveFile.js:52](https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/saveFile.js#L52) saveFile()\n\u2022 system/api/listFiles\n\u2022 system/api/saveFile\n\n### PoC\n1. Targeting an instance of instance of [HAX CMS NodeJS](https://github.com/haxtheweb/haxcms-nodejs), send a request without parameters to `listFiles` or `saveFiles`. The following screenshot shows the request in Burp Suite.\n![listfilesrequest](https://github.com/user-attachments/assets/477ea4e0-5707-4948-b53c-7f042a0475fb)\n\n2. The server will crash with `ERR_INVALID_ARG_TYPE`.\n![listfilescrash](https://github.com/user-attachments/assets/85424c12-1619-41d3-9bf5-9e029cdaa8c1)\n\n### Impact\nAn authenticated attacker can deny access to the HAX CMS NodeJS application by crashing the backend server. This prevents all users from accessing the backend system. If the backend system is hosting websites, those websites will be unavailable.",
  "id": "GHSA-pjj3-j5j6-qj27",
  "modified": "2025-07-21T22:21:29Z",
  "published": "2025-07-21T19:52:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-pjj3-j5j6-qj27"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54134"
    },
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/haxcms-nodejs/commit/e9773d1996233f9bafb06832b8220ec2a98bab34"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/haxtheweb/haxcms-nodejs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/listFiles.js#L22"
    },
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/saveFile.js#L52"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "HAX CMS NodeJS Application Has Improper Error Handling That Leads to Denial of Service"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.