Vulnerability Description
HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation. The API endpoints within the HAX CMS application check if a user is authenticated, but don't check for authorization before performing an operation. This is fixed in versions 11.0.14 of haxcms-nodejs and 11.0.9 of haxcms-php.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Psu | Haxcms-Nodejs | < 11.0.14 |
| Psu | Haxcms-Php | < 11.0.9 |
Related Weaknesses (CWE)
References
- https://github.com/haxtheweb/haxcms-nodejs/commit/5826e9b7f3d8c7c7635411768b86b1Patch
- https://github.com/haxtheweb/haxcms-php/commit/24d30222481ada037597c4d7c0a51a1efPatch
- https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894ExploitThird Party Advisory
- https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894ExploitThird Party Advisory
FAQ
What is CVE-2025-54378?
CVE-2025-54378 is a vulnerability with a CVSS score of 8.3 (HIGH). HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perfo...
How severe is CVE-2025-54378?
CVE-2025-54378 has been rated HIGH with a CVSS base score of 8.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-54378?
Check the references section above for vendor advisories and patch information. Affected products include: Psu Haxcms-Nodejs, Psu Haxcms-Php.