CVE-2025-54127
Published: 21 July 2025
Summary
CVE-2025-54127 is a critical-severity Initialization of a Resource with an Insecure Default (CWE-1188) vulnerability in Psu Haxcms-Nodejs. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22261
Vulnerability details
HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of HAXcms uses an insecure default configuration designed for local development. The default configuration does not…
more
perform authorization or authentication checks. If a user were to deploy haxcms-nodejs without modifying the default settings, ‘HAXCMS_DISABLE_JWT_CHECKS‘ would be set to ‘true‘ and their deployment would lack session authentication. This is fixed in version 11.0.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insecure default configuration disables JWT authentication checks, enabling unauthenticated remote exploitation of the public-facing HAXcms NodeJS web application for full access, modification, and deletion of site information.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires documented secure initialization practices and avoidance of insecure defaults in configuration baselines.
Reviewing and updating baseline when components are installed or upgraded prevents initialization with insecure defaults.
Requiring explicit configuration to minimal functionality overrides insecure defaults that would otherwise enable excess capabilities.
Tailoring replaces or augments insecure default initializations with system-specific values and compensating controls before deployment.
Central configuration overrides or replaces insecure default initializations that would otherwise be left unchanged on each system.
SCRM practices during acquisition and configuration management address insecure default initializations shipped by vendors.
Scans detect resources initialized with insecure defaults that create exploitable conditions.
Instruction on secure initialization of security controls prevents leaving resources with insecure defaults after installation.