Description

A Broken Object Level Authorization (BOLA) vulnerability was discovered in the tRPC project mutation APIs (update, delete, add/remove tag) of the Onlook web application 0.2.32. The vulnerability exists because the API fails to verify the ownership or membership of the currently authenticated user for the requested project ID. An authenticated attacker can send a malicious request containing another user's project ID to unlawfully modify, delete, or manipulate tags on that project, which can severely compromise data integrity and availability.

INFO

Published Date :

2025-11-07T00:00:00.000Z

Last Modified :

2025-11-12T17:04:57.483Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-63783 vulnerability.

Vendors Products
Onlook
  • Onlook
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-63783.

URL Resource
https://blog.soohyun.tech/CVE-2025-63783-IDOR-in-Onlook-27a557175d2e8061a3dbc931da53f095 cve-icon cve-icon
https://tossbank.notion.site/IDOR-in-onlook-27a557175d2e8061a3dbc931da53f095 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact