CVE-2025-54134 is a high-severity vulnerability affecting the HAX CMS NodeJs application, specifically versions 11.0.8 and below. HAX CMS is a content management system that allows users to manage microsites via a NodeJs backend. The vulnerability arises from improper input validation (CWE-20) in the handling of API requests to the listFiles and saveFiles endpoints. When an authenticated attacker sends an API request missing required URL parameters, the application fails to properly handle exceptions triggered by these malformed inputs. This leads to the NodeJs application crashing, resulting in a denial-of-service (DoS) condition. The root cause is the lack of robust exception handling and validation for user-modifiable URL parameters, which violates secure coding practices and leads to unstable application behavior. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network with low attack complexity. The issue is resolved in version 11.0.9 of the HAX CMS NodeJs application. The CVSS 4.0 base score is 7.1, reflecting high severity due to the potential for significant availability impact without requiring user interaction or elevated privileges beyond authentication. No known exploits are currently reported in the wild, but the vulnerability presents a clear risk for service disruption in affected deployments.

For European organizations using HAX CMS NodeJs versions 11.0.8 and below, this vulnerability poses a significant risk to service availability. An attacker with valid credentials can trigger application crashes by sending malformed API requests, causing denial of service to legitimate users. This can disrupt business operations, especially for organizations relying on HAX CMS to manage critical microsite content or customer-facing portals. The impact extends to potential reputational damage and operational downtime. Since the vulnerability requires authentication, insider threats or compromised credentials could be leveraged to exploit this flaw. Additionally, the lack of proper input validation could be indicative of other latent issues, increasing the risk profile. Organizations in sectors such as media, marketing, education, and government that use HAX CMS for microsite management are particularly vulnerable. The disruption of web services could also affect compliance with European data protection regulations if service availability is critical for user data access or processing.

European organizations should immediately upgrade HAX CMS NodeJs to version 11.0.9 or later, where this vulnerability is fixed. Until the upgrade is applied, organizations should implement strict access controls to limit API access only to trusted authenticated users and monitor API usage for anomalous requests missing required parameters. Implementing Web Application Firewall (WAF) rules to detect and block malformed API requests targeting listFiles and saveFiles endpoints can provide temporary protection. Additionally, organizations should audit logs for repeated crashes or suspicious API calls and enforce strong authentication mechanisms to minimize the risk of credential compromise. Developers should review and enhance input validation and exception handling in custom integrations with HAX CMS to prevent similar issues. Regular security testing, including fuzz testing of API endpoints, is recommended to detect improper input handling early. Finally, organizations should maintain an incident response plan to quickly address potential denial-of-service incidents stemming from this vulnerability.