CVE-2025-25905 is a Cross-Site Scripting (XSS) vulnerability identified in CADClick version 1.13.0 and earlier. The vulnerability arises due to insufficient input validation or sanitization of the "tree" parameter within the web interface of the CADClick application. An attacker can exploit this flaw by injecting arbitrary web scripts or HTML code through the "tree" parameter, which is then executed in the context of the victim's browser. This type of vulnerability enables attackers to perform a range of malicious activities, including session hijacking, defacement, redirection to malicious sites, or theft of sensitive information such as authentication tokens or cookies. Since the vulnerability is triggered remotely and does not require authentication, any user accessing a crafted URL or maliciously modified web page could be affected. The lack of a CVSS score and absence of known exploits in the wild suggest that this vulnerability is newly disclosed and may not yet be widely exploited. However, the presence of an XSS vulnerability in a CAD-related web application is concerning, as it may be used as an initial vector for further attacks within organizations relying on CADClick for design and collaboration workflows. The vulnerability's technical details indicate it is a reflected or stored XSS via the "tree" parameter, but no further specifics on the exact injection point or payload delivery mechanism are provided. No patches or mitigation links have been published at the time of disclosure, indicating that affected users should prioritize risk mitigation through configuration and monitoring until an official fix is available.

For European organizations using CADClick, this XSS vulnerability poses several risks. CADClick is likely used in engineering, manufacturing, and design sectors, which are critical to Europe's industrial and technological infrastructure. Exploitation could lead to unauthorized access to user sessions, enabling attackers to impersonate legitimate users and potentially access sensitive design data or internal collaboration tools. This could result in intellectual property theft, disruption of design workflows, or insertion of malicious content into project files. Additionally, successful exploitation could serve as a foothold for more advanced attacks such as phishing campaigns targeting employees or lateral movement within the corporate network. The impact on confidentiality is significant due to potential data leakage, while integrity could be compromised if attackers alter design documents or communications. Availability impact is generally lower for XSS but could arise if attackers use the vulnerability to deface or disrupt the web interface. Given the lack of authentication requirements and ease of exploitation via crafted URLs, the threat is accessible to remote attackers without prior access, increasing the risk profile for organizations with exposed CADClick web interfaces.

1. Immediate mitigation should include implementing strict input validation and output encoding on the "tree" parameter to neutralize malicious scripts. If source code access is available, developers should sanitize inputs using established libraries or frameworks that handle XSS prevention. 2. Until an official patch is released, organizations should consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the "tree" parameter. 3. Restrict access to the CADClick web interface by IP whitelisting or VPN-only access to reduce exposure to external attackers. 4. Conduct user awareness training to recognize phishing attempts that might leverage this vulnerability for social engineering. 5. Monitor web server logs and application logs for unusual requests containing script tags or suspicious parameters related to "tree". 6. Regularly check for updates from the vendor and apply patches promptly once available. 7. If feasible, implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. 8. Review and harden session management mechanisms to reduce the impact of potential session hijacking.