CVE-2025-54134
BaseFortify
Publication date: 2025-07-21
Last updated on: 2025-07-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| psu | haxcms-nodejs | to 11.0.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-248 | An exception is thrown from a function, but it is not caught. |
| CWE-703 | The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in HAX CMS NodeJs versions 11.0.8 and below causes the application to crash when an authenticated attacker sends an API request missing required URL parameters to the listFiles and saveFiles endpoints. The issue arises because the application does not properly handle exceptions triggered by changes to user-modifiable URL parameters. It is fixed in version 11.0.9.
How can this vulnerability impact me? :
The vulnerability can cause the HAX CMS NodeJs application to crash, potentially leading to denial of service. An authenticated attacker could exploit this by sending malformed API requests, disrupting the availability of the service.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the HAX CMS NodeJs application to version 11.0.9 or later, as this version contains the fix for the vulnerability. Until the upgrade can be applied, restrict access to the listFiles and saveFiles endpoints to trusted users only and monitor for any crashes caused by API requests missing required URL parameters.