CVE-2025-54134: 
JavaScript vulnerability analysis and mitigation

HAX CMS NodeJs is a content management system that allows users to manage their microsite universe with a NodeJs backend. A vulnerability was discovered in versions 11.0.8 and below, identified as CVE-2025-54134, where the application crashes when an authenticated attacker provides an API request lacking required URL parameters. The vulnerability was discovered and disclosed on July 21, 2025, affecting the listFiles and saveFiles endpoints (GitHub Advisory).

The vulnerability stems from improper exception handling when processing user-modifiable URL parameters. The issue specifically affects two endpoints: listFiles.js:22 and saveFile.js:52. The vulnerability has been assigned a CVSS v4.0 score of 7.1 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. The vulnerability is categorized under multiple CWE categories including CWE-20 (Improper Input Validation), CWE-248 (Uncaught Exception), and CWE-703 (Improper Check or Handling of Exceptional Conditions) (GitHub Advisory).

When successfully exploited, this vulnerability allows an authenticated attacker to deny access to the HAX CMS NodeJS application by crashing the backend server. This results in a complete denial of service, preventing all users from accessing the backend system. If the backend system is hosting websites, those websites become unavailable (GitHub Advisory).

The vulnerability has been fixed in version 11.0.9 of HAX CMS NodeJs. Users are advised to upgrade to this version to protect against this vulnerability (GitHub Advisory).