CVE-2025-49139: @haxtheweb/haxcms-nodejs Iframe Phishing vulnerability

The vulnerability (GHSA-v3ph-2q5q-cg88 / CVE-2025-49139) in @haxtheweb/haxcms-nodejs allows an authenticated attacker to conduct a phishing attack by embedding an iframe with a malicious source URL. When a victim visits the page, the malicious iframe can display a fake login prompt to harvest credentials. This is classified as CWE-1021: Improper Restriction of Rendered UI Layers or Frames.

The root cause is the lack of, or insufficient, sandboxing on <iframe> elements that can be created by users through the HAX site editor. The provided commit (5368eb9b278ca47cd9a83b8d3e6216375615b8f5) addresses this by explicitly adding the sandbox="allow-scripts allow-same-origin" attribute to iframes in two key places:

1. HaxStore.nodeToContent: This function is involved in serializing HAX content to HTML. If an <iframe> tag is part of this content, the patched function now ensures it gets the sandbox attribute. Previously, it would have been rendered without it.
2. IframeLoader.firstUpdated: The iframe-loader component is used to render iframes. Its firstUpdated method, which runs when the component is initialized, now sets the sandbox attribute on the iframes it creates. Previously, it did not.

By adding sandbox="allow-scripts allow-same-origin", other capabilities like allow-forms, allow-popups, and allow-top-navigation are disabled by default, which helps mitigate the risk of phishing and other malicious iframe behaviors. The identified functions are considered vulnerable because their previous versions were responsible for rendering these iframes without the necessary sandboxing restrictions.