N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-54128

GHSA ID

GHSA-59g8-h59f-8hjp

EPSS Score

CWE

CWE-79

Published

7/21/2025

Updated

7/21/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54128

CVE-2025-54128: NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting

Summary

The NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application because it does not protect against cross-site-scripting attacks.

Details

The contentSecurityPolicy value is explicitly disabled in the application's Helmet configuration in app.js.

permissive-csp-code

Affected Resources

app.js:52

PoC

To reproduce this vulnerability, install HAX CMS NodeJS. The application will load without a CSP configured.

Impact

In conjunction with an XSS vulnerability, an attacker could execute arbitrary scripts and exfiltrate data, including session tokens and sensitive local data.

Additional Information

OWASP: Content Security Policy

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-54128

GHSA ID

GHSA-59g8-h59f-8hjp

EPSS Score

CWE

CWE-79

Published

7/21/2025

Updated

7/21/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@haxtheweb/haxcms-nodejs	npm	<= 11.0.7	11.0.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, identified as GHSA-59g8-h5f-8hjp, is a configuration issue within the main application file src/app.js of the HAX CMS NodeJS version. It is not contained within a specific, named function. The vulnerability is the explicit disabling of the Content Security Policy (CSP) via the helmet middleware configuration. The patch ddb9351c6d6418008d4084a5b17fd6d611bc4e30 shows the removal of app.use(helmet({ contentSecurityPolicy: false, ... })); and its replacement with a proper CSP configuration. This line of code is executed at the top level of the app.js module during the application's startup and initialization phase. As such, there is no function signature that would appear in a runtime profiler that directly corresponds to this misconfiguration. The vulnerability is a lack of a security control at the application level, which would allow for Cross-Site Scripting (XSS) attacks if another vulnerability that allows for injecting scripts exists.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry T** No**JS v*rsion o* **X *MS **s * *is**l** *ont*nt S**urity Poli*y (*SP). T*is *on*i*ur*tion is ins**ur* *or * pro*u*tion *ppli**tion ****us* it *o*s not prot**t ***inst *ross-sit*-s*riptin* *tt**ks. ### **t*ils T** `*ont*ntS**urityPol

Reasoning

T** vuln*r**ility, i**nti*i** *s **S*-****-***-**jp, is * *on*i*ur*tion issu* wit*in t** m*in *ppli**tion *il* `sr*/*pp.js` o* t** **X *MS No**JS v*rsion. It is not *ont*in** wit*in * sp**i*i*, n*m** *un*tion. T** vuln*r**ility is t** *xpli*it *is**l

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-54128: NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting

Summary

Details

Affected Resources

PoC

Impact

Additional Information

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI