Headline
GHSA-5fpv-5qvh-7cf3: NodeJS version of the HAX CMS application is distributed with Default Secrets
Summary
The NodeJS version of the HAX CMS application is distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys for JWTs. Users aren’t prompted to change credentials or secrets during installation, and there is no way to change them through the UI.
Affected Resources
- HAXCMS.js HAXCMSClass
Impact
An unauthenticated attacker can read the default user credentials and JWT private keys from the public haxtheweb GitHub repositories. These credentials and keys can be used to access unconfigured self-hosted instances of the application, modify sites, and perform further attacks.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-5fpv-5qvh-7cf3
NodeJS version of the HAX CMS application is distributed with Default Secrets
High severity GitHub Reviewed Published Jul 21, 2025 in haxtheweb/issues • Updated Jul 21, 2025
Package
npm @haxtheweb/haxcms-nodejs (npm)
Affected versions
< 11.0.10
Summary
The NodeJS version of the HAX CMS application is distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys for JWTs. Users aren’t prompted to change credentials or secrets during installation, and there is no way to change them through the UI.
Affected Resources
- HAXCMS.js HAXCMSClass
Impact
An unauthenticated attacker can read the default user credentials and JWT private keys from the public haxtheweb GitHub repositories. These credentials and keys can be used to access unconfigured self-hosted instances of the application, modify sites, and perform further attacks.
References
- GHSA-5fpv-5qvh-7cf3
- haxtheweb/haxcms-nodejs@6dc2441
- https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/lib/HAXCMS.js#L1614
Published to the GitHub Advisory Database
Jul 21, 2025
Last updated
Jul 21, 2025