CVE-2025-63783 — HIGH (7.6)

Vulnerability Description

A Broken Object Level Authorization (BOLA) vulnerability was discovered in the tRPC project mutation APIs (update, delete, add/remove tag) of the Onlook web application 0.2.32. The vulnerability exists because the API fails to verify the ownership or membership of the currently authenticated user for the requested project ID. An authenticated attacker can send a malicious request containing another user's project ID to unlawfully modify, delete, or manipulate tags on that project, which can severely compromise data integrity and availability.

CVSS Score

7.6

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

HIGH

Affected Products

Vendor	Product	Versions
Onlook	Onlook	0.2.32

Related Weaknesses (CWE)

CWE-20

References

https://blog.soohyun.tech/CVE-2025-63783-IDOR-in-Onlook-27a557175d2e8061a3dbc931ExploitThird Party Advisory
https://tossbank.notion.site/IDOR-in-onlook-27a557175d2e8061a3dbc931da53f095Broken Link

FAQ

What is CVE-2025-63783?

CVE-2025-63783 is a vulnerability with a CVSS score of 7.6 (HIGH). A Broken Object Level Authorization (BOLA) vulnerability was discovered in the tRPC project mutation APIs (update, delete, add/remove tag) of the Onlook web application 0.2.32. The vulnerability exist...

How severe is CVE-2025-63783?

CVE-2025-63783 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-63783?

Check the references section above for vendor advisories and patch information. Affected products include: Onlook Onlook.