Unrated severityNVD Advisory· Published Nov 7, 2025· Updated Nov 12, 2025

CVE-2025-63783

Description

A Broken Object Level Authorization (BOLA) vulnerability was discovered in the tRPC project mutation APIs (update, delete, add/remove tag) of the Onlook web application 0.2.32. The vulnerability exists because the API fails to verify the ownership or membership of the currently authenticated user for the requested project ID. An authenticated attacker can send a malicious request containing another user's project ID to unlawfully modify, delete, or manipulate tags on that project, which can severely compromise data integrity and availability.

Affected products

Onlook/Onlook web applicationdescription
Onlook/Onlookllm-fuzzy
Range: = 0.2.32

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

blog.soohyun.tech/CVE-2025-63783-IDOR-in-Onlook-27a557175d2e8061a3dbc931da53f095mitre
tossbank.notion.site/IDOR-in-onlook-27a557175d2e8061a3dbc931da53f095mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000