CVE-2025-54127: NodeJS version of HAX CMS Has Insecure Default Configuration That Leads to Unauthenticated Access

July 21, 2025 (updated November 10, 2025)

The NodeJS version of HAX CMS uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authentication checks.

References

github.com/advisories/GHSA-f38f-jvqj-mfg6
github.com/haxtheweb/haxcms-nodejs
github.com/haxtheweb/issues/security/advisories/GHSA-f38f-jvqj-mfg6
nvd.nist.gov/vuln/detail/CVE-2025-54127

Code Behaviors & Features

Detect and mitigate CVE-2025-54127 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →