CVE-2025-48996
JavaScript vulnerability analysis and mitigation

Overview

An unauthenticated information disclosure vulnerability (CVE-2025-48996) was discovered in the Penn State University deployment of the HAX content management system. The vulnerability exists in the haxPsuUsage API endpoint within the open-apis component, affecting versions up to and including 10.0.2. The issue was disclosed on June 2, 2025, and has been assigned a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory).

Technical details

The vulnerability exists in the haxPsuUsage.js file where the API endpoint https://open-apis.hax.cloud/api/services/stats/haxPsuUsage returns a list of websites without implementing any authentication or authorization checks. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and primarily impacts confidentiality (GitHub Advisory).

Impact

The vulnerability allows any remote unauthenticated user to retrieve a complete list of PSU websites hosted on the HAX CMS. When combined with other authorization issues (such as HAX-3), this information disclosure could facilitate targeted attacks, potentially leading to unauthorized content modification or deletion of academic, instructional, and departmental sites (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in commit 06c2e1fbb7131a8fe66aa0600f38dcacae6b7ac7, which modifies the API response to only return overall data instead of detailed site listings. Organizations should upgrade to versions after June 2, 2025, to receive the security fix (GitHub Commit).

Additional resources


SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management