CVE-2025-54137 Overview
CVE-2025-54137 affects HAX CMS NodeJS, a content management system that lets users manage their microsite universe with a Node.js backend. Versions 11.0.9 and below ship with hardcoded default credentials for both user and superuser accounts. The application also uses default private keys for JSON Web Tokens (JWTs). Installers are not prompted to change these credentials or secrets, and the UI provides no mechanism to update them. An unauthenticated attacker can retrieve the default credentials and JWT private keys directly from the public haxtheweb GitHub repositories. The issue is fixed in version 11.0.10.
Critical Impact
Unauthenticated attackers can log into unconfigured self-hosted HAX CMS instances as superuser, modify sites, and forge valid JWTs using the publicly known private key.
Affected Products
- HAX CMS NodeJS (psu:haxcms-nodejs) versions 11.0.9 and below
- Self-hosted HAX CMS Node.js deployments using default configuration
- HAX CMS instances exposing the authentication API to the network
Discovery Timeline
- 2025-07-22 - CVE-2025-54137 published to the National Vulnerability Database (NVD)
- 2025-07-22 - Vendor commit 6dc2441c876350ca6fe9fbaecb058d92ef442869 merged to address the issue in version 11.0.10
- 2025-08-22 - Last updated in NVD database
Technical Details for CVE-2025-54137
Vulnerability Analysis
The weakness is classified under [CWE-1392]: Use of Default Credentials. HAX CMS NodeJS initializes the user and superUser accounts with the values admin/admin when no user configuration file exists. The same code path also generates and persists JWT signing material, but earlier releases shipped with default private keys committed to the public repository. An attacker can authenticate to the application using the known username and password pair. Alternatively, the attacker can sign arbitrary JWTs using the leaked private key and bypass authentication entirely. Once authenticated as superuser, the attacker can modify sites, alter content, and pivot to further attacks against the host. The flaw requires no user interaction and no prior privileges on the target system.
Root Cause
The root cause is the absence of secret generation and rotation during installation. The application source in src/lib/HAXCMS.js distributed default credentials and default JWT private keys alongside the code. Operators were not forced to change these values before exposing the service.
Attack Vector
The attack vector is network-based and unauthenticated. An attacker locates a self-hosted HAX CMS instance, reads the default credentials from the public haxtheweb GitHub repository, and submits them to the login endpoint. The attacker can also craft a JWT signed with the leaked private key and present it directly to authenticated API endpoints.
this.refreshPrivateKey = uuidv4();
fs.writeFileSync(path.join(this.configDirectory, ".rpk"), this.refreshPrivateKey);
}
+ // allow for loading in user defined config
+ // pk/rpk test for files that can contain these
+ try {
+ this.user = JSON.parse(fs.readFileSync(path.join(this.configDirectory, ".user")),
+ {encoding:'utf8', flag:'r'}, 'utf8');
+ this.superUser = {...this.user};
+ }
+ catch (e) {
+ console.warn('***************************************************************');
+ console.warn('\nHAXcms USER CONFIGURATION FILE NOT FOUND, creating default user');
+ console.warn(`${path.join(this.configDirectory, ".user")} is being created with default credentials`);
+ console.warn("MAKE SURE YOU EDIT THIS FILE IF PUTTING IN PRODUCTION!!!!!");
+ console.warn("username: admin");
+ console.warn("password: admin");
+ console.warn("\n***************************************************************");
+ // create a default user
+ this.superUser = {
+ name: 'admin',
+ password: 'admin',
+ };
+ this.user = {
+ name: 'admin',
+ password: 'admin',
+ };
+ fs.writeFileSync(path.join(this.configDirectory, ".user"), JSON.stringify(this.user, null, 2));
+ }
+ // warn if we have default credentials
Source: GitHub Commit 6dc2441. The patch reads a user-defined .user configuration file from configDirectory and only falls back to admin/admin when the file is missing, while emitting a console warning that operators must change the credentials before production use.
Detection Methods for CVE-2025-54137
Indicators of Compromise
- Successful authentications to HAX CMS NodeJS using the username admin and password admin.
- Unexpected modifications to site content, configuration files, or user records on self-hosted HAX CMS instances.
- JWTs presented to the application that were signed with the default private key published in the haxtheweb GitHub repositories.
Detection Strategies
- Inspect HAX CMS application logs for logins by the admin account from unfamiliar source IP addresses.
- Compare the .user and .pk files in the HAX CMS configDirectory against the known default values shipped with versions 11.0.9 and earlier.
- Run an inventory query against package.json files in deployed Node.js environments to identify haxcms-nodejs versions at or below 11.0.9.
Monitoring Recommendations
- Forward HAX CMS authentication and admin-action logs to a centralized log platform for anomaly review.
- Alert on first-time successful logins to administrative accounts on internet-exposed Node.js services.
- Track outbound connections from the HAX CMS host that follow administrative actions, which can indicate post-authentication abuse.
How to Mitigate CVE-2025-54137
Immediate Actions Required
- Upgrade HAX CMS NodeJS to version 11.0.10 or later.
- Rotate the admin and superuser passwords and replace the JWT private key and refresh private key on every deployed instance.
- Invalidate all existing JWTs issued before the upgrade so tokens signed with the leaked key cannot be reused.
- Restrict network access to the HAX CMS administrative interface until the upgrade is complete.
Patch Information
The fix is delivered in HAX CMS NodeJS version 11.0.10 via commit 6dc2441c876350ca6fe9fbaecb058d92ef442869. Review the GitHub Security Advisory GHSA-5fpv-5qvh-7cf3 and the vendor commit for full technical details.
Workarounds
- Manually overwrite the .user file in configDirectory with a strong, unique username and password before exposing the service.
- Regenerate the .pk and .rpk files with cryptographically random values and restart the application to load the new keys.
- Place the HAX CMS instance behind a reverse proxy or VPN that enforces additional authentication until version 11.0.10 is deployed.
# Configuration example: rotate credentials and JWT keys after upgrade
cd /path/to/haxcms/configDirectory
# Replace default admin credentials
cat > .user <<EOF
{
"name": "your-admin-username",
"password": "$(openssl rand -base64 24)"
}
EOF
# Regenerate JWT private key and refresh private key
uuidgen > .pk
uuidgen > .rpk
# Restrict file permissions
chmod 600 .user .pk .rpk
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
