CVE-2025-54128: 
JavaScript vulnerability analysis and mitigation

HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.7 and below, the NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application because it does not protect against cross-site-scripting attacks. The contentSecurityPolicy value is explicitly disabled in the application's Helmet configuration in app.js. This vulnerability was discovered on July 21, 2025, and was fixed in version 11.0.8 (NVD, GitHub Advisory).

The vulnerability stems from an explicitly disabled Content Security Policy in the application's Helmet configuration within app.js. The CVSS v4.0 base score is 7.2 (HIGH) with a vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:L/SI:L/SA:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

When exploited in conjunction with an XSS vulnerability, an attacker could execute arbitrary scripts and exfiltrate data, including session tokens and sensitive local data. The vulnerability affects the security posture of production applications by removing a critical defense mechanism against cross-site scripting attacks (GitHub Advisory).

The vulnerability has been patched in version 11.0.8 of HAX CMS NodeJS. Users should upgrade to this version or later to implement proper Content Security Policy configurations. The fix includes the implementation of appropriate CSP directives in the Helmet configuration (GitHub Patch).