VYPR
← All advisories
High severityNVD Advisory· Published Jul 21, 2025· Updated Jul 23, 2025

HAX CMS NodeJs's Improper Error Handling Leads to Denial of Service

CVE-2025-54134

Description

HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.8 and below, the HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFiles and saveFiles endpoints. This vulnerability exists because the application does not properly handle exceptions which occur as a result of changes to user-modifiable URL parameters. This is fixed in version 11.0.9.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

HAX CMS NodeJS crashes on authenticated API requests lacking required URL parameters in listFiles and saveFiles endpoints; fixed in 11.0.9.

Root

Cause

The vulnerability in HAX CMS NodeJS (versions 11.0.8 and below) arises from improper exception handling when authenticated users supply API requests to the listFiles and saveFiles endpoints with missing required URL parameters. The application fails to validate the presence of the siteName parameter before use, leading to an unhandled exception that causes the NodeJS process to crash [1][2]. The official fix in commit e9773d1 introduces an early check for req.query['siteName'], wrapping subsequent operations inside an if block to prevent execution when the parameter is absent [2].

Exploitation

An attacker must be authenticated to the HAX CMS NodeJS application. They can then craft a request to either /listFiles or /saveFiles that deliberately omits the siteName URL parameter [1]. The absence of this parameter triggers a crash in the backend, resulting in a denial-of-service condition. The attack does not require any special privileges beyond a valid user session, and the affected endpoints are accessible to authenticated users [1][3][4].

Impact

Successful exploitation results in a denial-of-service (DoS) event: the NodeJS server crashes, making the CMS unavailable to all users until the service is manually restarted [1]. The vulnerability does not appear to enable data exfiltration, privilege escalation, or code execution—only a crash that impacts availability.

Mitigation

The issue is fixed in HAX CMS NodeJS version 11.0.9. Users running version 11.0.8 or earlier should update immediately [1]. No workarounds are documented; the patch simply adds a guard clause to verify the presence of required parameters before proceeding with file operations [2].

References
  1. NVD - CVE-2025-54134
  2. https://github.com/haxtheweb/issues/security/advisories/GHSA-pjj3-j5j… · haxtheweb/haxcms-nodejs@e9773d1
  3. haxcms-nodejs/src/routes/listFiles.js at main · haxtheweb/haxcms-nodejs
  4. haxcms-nodejs/src/routes/saveFile.js at main · haxtheweb/haxcms-nodejs

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@haxtheweb/haxcms-nodejsnpm
< 11.0.911.0.9

Affected products

2
  • HAX CMS/NodeJsllm-create
    Range: <=11.0.8
  • haxtheweb/issuesv5
    Range: < 11.0.9

Patches

1
e9773d199623

https://github.com/haxtheweb/issues/security/advisories/GHSA-pjj3-j5j6-qj27

https://github.com/haxtheweb/haxcms-nodejsbtoproJul 21, 2025via ghsa
commit
1 file changed · +38 35
  • src/routes/listFiles.js+38 35 modified
    @@ -21,46 +21,49 @@ const mime = require('mime');
    */
   async function listFiles(req, res) {
     let files = [];
-    let site = await HAXCMS.loadSite(req.query['siteName']);
-    if (site && site.siteDirectory) {
-      let search = (typeof req.query['filename'] !== 'undefined') ? req.query['filename'] : '';
-      // build files directory path
-      let siteFilePath = path.join(site.siteDirectory, 'files');
-      let handle;
-      if (handle = fs.readdirSync(siteFilePath)) {
-        handle.forEach(file => {
-          if (
-              file != "." &&
-              file != ".." &&
-              file != '.gitkeep' &&
-              file != '.DS_Store'
-          ) {
-            // ensure this is a file
+    // verify that we have params expected from frontend
+    if (req.query && req.query['siteName']) {
+      let site = await HAXCMS.loadSite(req.query['siteName']);
+      if (site && site.siteDirectory) {
+        let search = (typeof req.query['filename'] !== 'undefined') ? req.query['filename'] : '';
+        // build files directory path
+        let siteFilePath = path.join(site.siteDirectory, 'files');
+        let handle;
+        if (handle = fs.readdirSync(siteFilePath)) {
+          handle.forEach(file => {
             if (
-              fs.lstatSync(siteFilePath + '/' + file).isFile()
+                file != "." &&
+                file != ".." &&
+                file != '.gitkeep' &&
+                file != '.DS_Store'
             ) {
-              // ensure this is a file and if we are searching for results then return only exact ones
-              if (search == "" || file.indexOf(search) !== -1) {
-                let fullUrl = '/files/' + file;
-                // multiple sites then append the base url to site management area
-                if (HAXCMS.operatingContext == 'multisite') {
-                  fullUrl = HAXCMS.basePath +
-                  HAXCMS.sitesDirectory + '/' +
-                  site.manifest.metadata.site.name + '/files/' + file
+              // ensure this is a file
+              if (
+                fs.lstatSync(siteFilePath + '/' + file).isFile()
+              ) {
+                // ensure this is a file and if we are searching for results then return only exact ones
+                if (!search || search == "" || file.indexOf(search) !== -1) {
+                  let fullUrl = '/files/' + file;
+                  // multiple sites then append the base url to site management area
+                  if (HAXCMS.operatingContext == 'multisite') {
+                    fullUrl = HAXCMS.basePath +
+                    HAXCMS.sitesDirectory + '/' +
+                    site.manifest.metadata.site.name + '/files/' + file
+                  }
+                  files.push({
+                    'path' : 'files/' + file,
+                    'fullUrl' : fullUrl,
+                    'url' : 'files/' + file,
+                    'mimetype' : mime.getType(siteFilePath + '/' + file),
+                    'name' : file
+                  });
                 }
-                files.push({
-                  'path' : 'files/' + file,
-                  'fullUrl' : fullUrl,
-                  'url' : 'files/' + file,
-                  'mimetype' : mime.getType(siteFilePath + '/' + file),
-                  'name' : file
-                });
+              } else {
+                  // @todo maybe step into directories?
               }
-            } else {
-                // @todo maybe step into directories?
             }
-          }
-        });
+          });
+        }
       }
     }
     res.send(files);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.