CVE-2025-63785 — MEDIUM (6.1)

Vulnerability Description

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the text editor feature of the Onlook web application 0.2.32. This vulnerability occurs because user-supplied input is not properly sanitized before being directly injected into the DOM via innerHTML when editing a text element. An attacker can exploit this to inject malicious HTML and script code, which is then executed within the context of the preview iframe, allowing for the execution of arbitrary scripts in the user's session.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Onlook	Onlook	0.2.32

Related Weaknesses (CWE)

CWE-20 CWE-116 CWE-79

References

https://blog.soohyun.tech/CVE-2025-63785-DOM-XSS-in-Onlook-27e557175d2e80e1b210cExploitThird Party Advisory
https://tossbank.notion.site/DOM-XSS-in-onlook-27e557175d2e80e1b210c75b77952115Broken Link

FAQ

What is CVE-2025-63785?

CVE-2025-63785 is a vulnerability with a CVSS score of 6.1 (MEDIUM). A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the text editor feature of the Onlook web application 0.2.32. This vulnerability occurs because user-supplied input is not properly sanit...

How severe is CVE-2025-63785?

CVE-2025-63785 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-63785?

Check the references section above for vendor advisories and patch information. Affected products include: Onlook Onlook.