Headline
GHSA-59g8-h59f-8hjp: NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting
Summary
The NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application because it does not protect against cross-site-scripting attacks.
Details
The contentSecurityPolicy value is explicitly disabled in the application’s Helmet configuration in app.js.
Affected Resources
PoC
To reproduce this vulnerability, install HAX CMS NodeJS. The application will load without a CSP configured.
Impact
In conjunction with an XSS vulnerability, an attacker could execute arbitrary scripts and exfiltrate data, including session tokens and sensitive local data.
Additional Information
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-54128
NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting
High severity GitHub Reviewed Published Jul 21, 2025 in haxtheweb/issues • Updated Jul 21, 2025
Package
npm @haxtheweb/haxcms-nodejs (npm)
Affected versions
<= 11.0.7
Summary
The NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application because it does not protect against cross-site-scripting attacks.
Details
The contentSecurityPolicy value is explicitly disabled in the application’s Helmet configuration in app.js.
Affected Resources
- app.js:52
PoC
To reproduce this vulnerability, install HAX CMS NodeJS. The application will load without a CSP configured.
Impact
In conjunction with an XSS vulnerability, an attacker could execute arbitrary scripts and exfiltrate data, including session tokens and sensitive local data.
Additional Information
- OWASP: Content Security Policy
References
- GHSA-59g8-h59f-8hjp
- haxtheweb/haxcms-nodejs@ddb9351
Published to the GitHub Advisory Database
Jul 21, 2025
Last updated
Jul 21, 2025