CVE-2025-0829

High

Published: 17 March 2025

Published

17 March 2025

Modified

22 October 2025

KEV Added

—

Patch

—

CVSS Score 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0035 57.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0829 is a high-severity Cross-site Scripting (CWE-79) vulnerability in 3Ds 3Dexperience Enovia. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked in the top 42.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to JavaScript (T1059.007). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates inputs to the 3D Markup component to prevent injection and storage of malicious XSS scripts.

SI-15 Information Output Filtering good match

prevent

Filters outputs from 3D Markup when rendered in users' browsers to block execution of stored malicious scripts.

SI-2 Flaw Remediation good match

prevent

Remediates the stored XSS flaw by timely applying vendor patches from the advisory for affected 3DEXPERIENCE releases.

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

Why these techniques?

Stored XSS vulnerability directly enables injection and execution of arbitrary JavaScript code in the victim's browser session upon viewing the malicious 3D Markup content.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A stored Cross-site Scripting (XSS) vulnerability affecting 3D Markup in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.

Deeper analysisAI

CVE-2025-0829, published on 2025-03-17, is a stored Cross-site Scripting (XSS) vulnerability (CWE-79) in the 3D Markup component of ENOVIA Collaborative Industry Innovator. It affects releases from 3DEXPERIENCE R2022x through 3DEXPERIENCE R2024x. The flaw allows an attacker to execute arbitrary script code in a user's browser session, with a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).

The vulnerability can be exploited over the network with low attack complexity by an attacker possessing low privileges. Exploitation requires user interaction, such as a victim viewing the affected 3D Markup content containing the stored malicious payload. Successful exploitation executes arbitrary scripts in the victim's browser session, resulting in high confidentiality and integrity impacts across a changed scope.

Mitigation details are available in the vendor advisory at https://www.3ds.com/vulnerability/advisories.

Details

CWE(s): CWE-79

Affected Products

3ds

3dexperience enovia

r2022x — r2024x

CVEs Like This One

CVE-2025-0830Same product: 3Ds 3Dexperience Enovia

CVE-2025-0828Same product: 3Ds 3Dexperience Enovia

CVE-2025-0598Same product: 3Ds 3Dexperience Enovia

CVE-2025-0833Same product: 3Ds 3Dexperience Enovia

CVE-2025-0596Same product: 3Ds 3Dexperience Enovia

CVE-2025-0599Same product: 3Ds 3Dexperience Enovia

CVE-2025-0600Same product: 3Ds 3Dexperience Enovia

CVE-2025-0826Same product: 3Ds 3Dexperience Enovia

CVE-2025-0832Same product: 3Ds 3Dexperience Enovia

CVE-2025-0601Same product: 3Ds 3Dexperience Enovia

References

https://www.3ds.com/vulnerability/advisories
Vendor Advisory · 3DS.Information-Security@3ds.com