N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54134

CVE-2025-54134: HAX CMS NodeJS Application Has Improper Error Handling That Leads to Denial of Service

Summary

The HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFiles and saveFiles endpoints.

Details

This vulnerability exists because the application does not properly handle exceptions which occur as a result of changes to user-modifiable URL parameters.

Affected Resources

• listFiles.js:22 listFiles() • saveFile.js:52 saveFile() • system/api/listFiles • system/api/saveFile

PoC

Targeting an instance of instance of HAX CMS NodeJS, send a request without parameters to listFiles or saveFiles. The following screenshot shows the request in Burp Suite.
The server will crash with ERR_INVALID_ARG_TYPE.

Impact

An authenticated attacker can deny access to the HAX CMS NodeJS application by crashing the backend server. This prevents all users from accessing the backend system. If the backend system is hosting websites, those websites will be unavailable.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-54134

CVE-2025-54134:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@haxtheweb/haxcms-nodejs	npm	< 11.0.9	11.0.9

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists because of improper error handling in the HAX CMS NodeJS application, specifically within the listFiles and saveFiles API endpoints. When these endpoints receive a request that is missing expected URL parameters, the application attempts to access properties of an undefined object, which triggers an unhandled TypeError and causes the server to crash.\n\nThe analysis of the provided commit e9773d1996233f9bafb06832b8220ec2a98bab34 confirms the vulnerability in the listFiles function. The patch introduces a check to ensure that req.query and req.query[\'siteName\'] are present before the application tries to access them, thus preventing the crash. The vulnerability description also explicitly mentions that the saveFile function in src/routes/saveFile.js is affected by the same issue. Although the provided patch information from the tool only shows changes for listFiles.js, the commit on GitHub includes a similar fix for saveFile.js. Therefore, it is highly likely that the saveFile function is also vulnerable. An attacker can exploit this vulnerability by sending a crafted request to either of these endpoints, leading to a denial of service for all users of the application.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-54134: HAX CMS NodeJS Application Has Improper Error Handling That Leads to Denial of Service

Summary

Details

Affected Resources

PoC

Impact

CVE-2025-54134:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

Technical Details

Basic Information

Basic Information

CVE-2025-54134: HAX CMS NodeJS Application Has Improper Error Handling That Leads to Denial of Service

Summary

Details

Affected Resources

PoC

Impact

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI