Platform
nodejs
Component
fuxa-server
Fixed in
1.2.11
1.2.10
CVE-2026-25893 represents a critical Remote Code Execution (RCE) vulnerability discovered in Fuxa Server, a Node.js application. This flaw allows attackers to bypass authentication and execute arbitrary code, even when authentication is enabled. The vulnerability affects versions 1.2.9 and earlier, and a patch is available in version 1.2.10.
The impact of this vulnerability is severe. Successful exploitation allows an attacker to gain complete control over the affected Fuxa Server instance. This could lead to data breaches, system compromise, and potential lateral movement within the network. The authentication bypass mechanism, leveraging the heartbeat refresh endpoint, is particularly concerning as it circumvents standard authentication measures. Unlike the misrepresentation of CVE-2025-69970, enabling authentication does not mitigate this vulnerability. Attackers could potentially modify configurations, steal sensitive data, or even use the server as a launchpad for further attacks.
CVE-2026-25893 was publicly disclosed on February 5, 2026. The vulnerability is not currently listed on CISA KEV, and an EPSS score is pending evaluation. Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation and the critical nature of the vulnerability. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
The primary mitigation is to immediately upgrade Fuxa Server to version 1.2.10 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. While enabling authentication does not prevent the bypass, restricting access to the heartbeat refresh endpoint via a Web Application Firewall (WAF) or proxy server could provide a limited layer of defense. Monitor access logs for unusual activity related to the heartbeat endpoint. The official patch details the specific code changes addressing the vulnerability; review these changes to understand the underlying issue and ensure proper configuration.
Actualice FUXA a la versión 1.2.10 o posterior. Esta versión corrige la vulnerabilidad de omisión de autenticación que permite la ejecución remota de código. La actualización impedirá que atacantes no autenticados obtengan acceso administrativo y ejecuten código arbitrario en el servidor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25893 is a critical Remote Code Execution vulnerability in Fuxa Server, allowing attackers to bypass authentication and execute code even with authentication enabled. It affects versions 1.2.9 and earlier.
If you are running Fuxa Server version 1.2.9 or earlier, you are vulnerable. Immediately upgrade to 1.2.10 or later to mitigate the risk.
Upgrade Fuxa Server to version 1.2.10 or later. As a temporary workaround, restrict access to the heartbeat refresh endpoint using a WAF or proxy.
While there's no confirmed widespread exploitation currently, the vulnerability's critical nature and ease of exploitation suggest active exploitation is likely to occur.
Refer to the official Fuxa GitHub repository for the advisory and patch details: https://github.com/frangoteam/FUXA/commit/fe82348d160904d0013b9a3e267d50158f5c7afb
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.