CVE-2025-54137
BaseFortify
Publication date: 2025-07-22
Last updated on: 2025-08-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| psu | haxcms-nodejs | to 11.0.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1392 | The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in HAX CMS NodeJS versions 11.0.9 and below, where the software was distributed with hardcoded default credentials for user and superuser accounts, as well as default private keys for JWTs. Users are not prompted to change these credentials or secrets during installation, nor can they change them through the UI. An unauthenticated attacker can obtain these default credentials and keys from public GitHub repositories and use them to access unconfigured self-hosted instances, modify sites, and launch further attacks. The issue is fixed in version 11.0.10.
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated attacker to gain unauthorized access to your HAX CMS NodeJS instance if it is unconfigured and still using default credentials. The attacker can then modify your sites and potentially carry out additional malicious activities, compromising the integrity, confidentiality, and availability of your microsite universe.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your HAX CMS NodeJS instance is running version 11.0.9 or below and if it is using the default hardcoded credentials or JWT private keys. Since these credentials and keys are publicly available in the haxtheweb GitHub repositories, you can attempt to authenticate using those default credentials or inspect configuration files for the default JWT keys. Commands to check running version and configuration might include: 1) Checking the application version via the package.json file or application logs. 2) Attempting to log in with known default usernames and passwords. 3) Searching configuration files for default JWT private keys. Specific commands depend on your environment, but examples include: `cat /path/to/haxcms/package.json | grep version`, `grep -r 'default' /path/to/haxcms/config`, or attempting curl requests with default credentials to the login endpoint.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade your HAX CMS NodeJS installation to version 11.0.10 or later, where this issue is fixed. Additionally, if upgrading is not immediately possible, you should change the default credentials and JWT private keys manually if possible, or restrict access to the application to trusted networks only to prevent unauthorized access. Monitoring for unauthorized access attempts and reviewing logs for suspicious activity is also recommended.