CVE-2025-54134
Published: 21 July 2025
Summary
CVE-2025-54134 is a high-severity Improper Input Validation (CWE-20) vulnerability in Psu Haxcms-Nodejs. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 40.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22263
Vulnerability details
HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.8 and below, the HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects…
more
the listFiles and saveFiles endpoints. This vulnerability exists because the application does not properly handle exceptions which occur as a result of changes to user-modifiable URL parameters. This is fixed in version 11.0.9.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows an authenticated attacker to crash the NodeJS backend via malformed API requests to listFiles and saveFiles endpoints due to improper error handling, enabling endpoint denial of service through application exploitation.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Mandates explicit, predictable handling of exceptional conditions rather than undefined continuation.
Requires explicit, safe handling actions for specified exceptional conditions rather than allowing unchecked propagation or default unsafe behavior.
Implements explicit check and handling for the exceptional condition of audit logging process failure.
Establishing and monitoring system metrics with correlation and response actions helps identify and address improper handling of exceptional conditions.
Provides a defined response to detected conditions by restricting operation, ensuring exceptional conditions are handled rather than ignored or mishandled.
Contingency training equips users with defined procedures to check and respond to exceptional conditions during disruptions, reducing exploitation of mishandled errors.
Testing verifies the system's ability to detect, handle, and recover from exceptional conditions as part of the plan, reducing exploitability of improper exception handling.