Cyber Resilience

CVE-2025-54134

High

Published: 21 July 2025

Published
21 July 2025
Modified
30 July 2025
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0019 40.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54134 is a high-severity Improper Input Validation (CWE-20) vulnerability in Psu Haxcms-Nodejs. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 40.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.8 and below, the HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects…

more

the listFiles and saveFiles endpoints. This vulnerability exists because the application does not properly handle exceptions which occur as a result of changes to user-modifiable URL parameters. This is fixed in version 11.0.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability allows an authenticated attacker to crash the NodeJS backend via malformed API requests to listFiles and saveFiles endpoints due to improper error handling, enabling endpoint denial of service through application exploitation.

Affected Assets

psu
haxcms-nodejs
≤ 11.0.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-20 CWE-703

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-703 CWE-248

Mandates explicit, predictable handling of exceptional conditions rather than undefined continuation.

addresses: CWE-703 CWE-248

Requires explicit, safe handling actions for specified exceptional conditions rather than allowing unchecked propagation or default unsafe behavior.

addresses: CWE-703

Implements explicit check and handling for the exceptional condition of audit logging process failure.

addresses: CWE-703

Establishing and monitoring system metrics with correlation and response actions helps identify and address improper handling of exceptional conditions.

addresses: CWE-703

Provides a defined response to detected conditions by restricting operation, ensuring exceptional conditions are handled rather than ignored or mishandled.

addresses: CWE-703

Contingency training equips users with defined procedures to check and respond to exceptional conditions during disruptions, reducing exploitation of mishandled errors.

addresses: CWE-703

Testing verifies the system's ability to detect, handle, and recover from exceptional conditions as part of the plan, reducing exploitability of improper exception handling.

References