How to fix EUVD-2025-19107?

Within 24 hours: Inventory all CADClick instances and identify affected versions; isolate systems from untrusted networks if possible. Within 7 days: Deploy Web Application Firewall (WAF) rules to block malicious 'tree' parameter inputs; disable the vulnerable feature if operationally feasible; implement input validation at the application layer. Within 30 days: Contact CADClick vendor for patch status; evaluate alternative solutions; conduct security assessment of potentially compromised systems.

Is Cadclick affected by EUVD-2025-19107?

CADClick versions 1.13.0 and earlier contain a Cross-Site Scripting vulnerability that allows attackers to inject malicious code, potentially compromising user sessions and data.

Cadclick EUVD-2025-19107

| CVE-2025-25905 HIGH

Cross-site Scripting (XSS) (CWE-79)

2025-06-25 [email protected]

XSS Cadclick

7.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 23:19 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 23:19 euvd

EUVD-2025-19107

PoC Detected

Jul 07, 2025 - 17:40 vuln.today

Public exploit code

CVE Published

Jun 25, 2025 - 16:15 nvd

HIGH 7.1

DescriptionNVD

Cross-Site Scripting (XSS) vulnerability in CADClick v1.13.0 and before allows remote attackers to inject arbitrary web script or HTML via the "tree" parameter.

AnalysisAI

CVE-2025-25905 is a Reflected Cross-Site Scripting (XSS) vulnerability in CADClick versions 1.13.0 and earlier that allows unauthenticated remote attackers to inject arbitrary HTML and JavaScript through the 'tree' parameter. Successful exploitation requires user interaction (clicking a malicious link) but can lead to session hijacking, credential theft, and defacement. The vulnerability has a CVSS score of 7.1 (high severity) with a moderate attack complexity, indicating it is practically exploitable in real-world scenarios.

Technical ContextAI

This vulnerability is a classic Reflected XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) where CADClick fails to properly sanitize or encode user-supplied input in the 'tree' parameter before rendering it in HTTP responses. The vulnerability exists in the web application layer of CADClick (an CAD/design collaboration tool) and suggests inadequate input validation and output encoding mechanisms. The 'tree' parameter likely controls rendering of hierarchical data structures or file trees in the UI, and unsanitized user input is directly reflected back to the browser without HTML entity encoding or Content Security Policy protections. This affects CADClick CPE: cpe:2.3:a:cadclick:cadclick:*:*:*:*:*:*:*:* (versions <= 1.13.0).

RemediationAI

patch: Upgrade CADClick to version 1.14.0 or later (first patched version assumed, pending vendor confirmation); priority: Immediate; notes: Verify exact patched version from official CADClick vendor advisories before deployment workaround: Implement Web Application Firewall (WAF) rules to block requests with suspicious payloads in the 'tree' parameter (e.g., script tags, event handlers, HTML entity sequences); priority: Short-term; example_rule: Block requests matching 'tree=.*(<|%3C)(script|img|svg|iframe|on\w+)'; effectiveness: Moderate (may cause false positives) mitigation: Deploy Content Security Policy (CSP) headers: Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; priority: Concurrent; notes: Reduces impact even if XSS is reflected; limits attacker's ability to load external scripts mitigation: Implement HttpOnly and Secure flags on session cookies to prevent session token exfiltration via XSS; priority: Concurrent detection: Monitor application logs and WAF logs for patterns indicating exploitation attempts (encoded script tags, event handlers in 'tree' parameter); priority: Ongoing

EUVD-2025-19107 vulnerability details – vuln.today

Back