CVE-2025-54137: 
JavaScript vulnerability analysis and mitigation

HAX CMS NodeJS, a content management system with NodeJS backend, was found to contain a critical security vulnerability (CVE-2025-54137) in versions 11.0.9 and below. The vulnerability was discovered and disclosed on July 22, 2025, affecting the core authentication system of the application. The issue stems from the distribution of hardcoded default credentials for user and superuser accounts, along with default private keys for JWTs (GitHub Advisory).

The vulnerability is characterized by the presence of hardcoded default credentials and JWT private keys in the application's codebase. The CVSS v3.1 score for this vulnerability is 7.3 (High), with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. The vulnerability is associated with multiple CWE categories including CWE-1392 (Use of Default Credentials), CWE-1393 (Use of Default Password), and CWE-1394 (Use of Default Cryptographic Key) (NVD).

An unauthenticated attacker can access the default user credentials and JWT private keys from the public GitHub repositories. These credentials and keys can be used to gain unauthorized access to unconfigured self-hosted instances of the application, modify sites, and potentially execute further attacks (GitHub Advisory).

The vulnerability has been fixed in version 11.0.10 of HAX CMS NodeJS. Users are strongly advised to upgrade to this version. Additionally, system administrators should ensure that default credentials are changed immediately after installation, although the application currently lacks a user interface mechanism for changing these credentials (GitHub Advisory).