← Back

CVE-2025-63783

nvd nist
Published: Nov 7, 2025Modified: Feb 5, 2026

JSON object

Loading...
7.6
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
Exploitability: 2.8 / Impact: 4.7
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

A Broken Object Level Authorization (BOLA) vulnerability was discovered in the tRPC project mutation APIs (update, delete, add/remove tag) of the Onlook web application 0.2.32. The vulnerability exists because the API fails to verify the ownership or membership of the currently authenticated user for the requested project ID. An authenticated attacker can send a malicious request containing another user's project ID to unlawfully modify, delete, or manipulate tags on that project, which can severely compromise data integrity and availability.

Affected (1)

Products: Onlook: Onlook
Onlook
1 product
Onlook
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Onlook
Version 0.2.32

Related CWEs

CWE-20
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (2)

Source: cve@mitre.org
ExploitThird Party Advisory
Source: cve@mitre.org
Broken Link

Timeline

No history available yet.