NodeJS Vulnerability in HAX CMS by haxtheweb: Hardcoded Credentials and Secrets
CVE-2025-54137

7.3HIGH

Key Information:

Vendor: Haxtheweb
Status: Issues
Vendor: CVE Published:; 22 July 2025

What is CVE-2025-54137?

HAX CMS NodeJS allows users to manage their microsites but suffers from a significant vulnerability in versions 11.0.9 and below, which contain hardcoded default credentials for both user and superuser accounts. The application also includes default private keys for JSON Web Tokens (JWTs) that are not securely managed. During installation, users are not prompted to change these credentials or secrets, nor can they be modified via the user interface. As a result, an unauthenticated attacker can easily access default user credentials and JWT private keys available in public GitHub repositories, potentially compromising unconfigured self-hosted instances of the application. This risk may lead to unauthorized modifications of sites and enable further malicious activities. Version 11.0.10 has addressed these issues.

Affected Version(s)

issues < 11.0.10

References

https://github.com/haxtheweb/issues/security/advisories/G...

x_refsource_CONFIRM

https://github.com/haxtheweb/haxcms-nodejs/commit/6dc2441...

x_refsource_MISC

https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/...

x_refsource_MISC

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 22, 2025
Vulnerability Reserved
Jul 16, 2025

Haxtheweb

What is CVE-2025-54137?

Affected Version(s)

References

CVSS V3.1

Timeline