Strix
26.1K

CVE-2025-63783

HIGHCVSS 7.6/10EPSS 0.25%

Last modified

CVE-2025-63783 is a high-severity vulnerability rated 7.6/10 on the CVSS scale. A Broken Object Level Authorization (BOLA) vulnerability was discovered in the tRPC project mutation APIs (update, delete, add/remove tag) of the Onlook web application 0.2.32. The vulnerability exists because the API fails to verify the ownership or membership of the currently authenticated user for the requested project ID. EPSS estimates a 0.25% chance of exploitation in the next 30 days.

Description

A Broken Object Level Authorization (BOLA) vulnerability was discovered in the tRPC project mutation APIs (update, delete, add/remove tag) of the Onlook web application 0.2.32. The vulnerability exists because the API fails to verify the ownership or membership of the currently authenticated user for the requested project ID. An authenticated attacker can send a malicious request containing another user's project ID to unlawfully modify, delete, or manipulate tags on that project, which can severely compromise data integrity and availability.

Metrics

CVSS 3.1
7.6/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

EPSS Probability
0.25%

16.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
OnlookOnlook0.2.32

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2025-63783?
A Broken Object Level Authorization (BOLA) vulnerability was discovered in the tRPC project mutation APIs (update, delete, add/remove tag) of the Onlook web application 0.2.32. The vulnerability exists because the API fails to verify the ownership or membership of the currently authenticated user for the requested project ID. An authenticated attacker can send a malicious request containing another user's project ID to unlawfully modify, delete, or manipulate tags on that project, which can severely compromise data integrity and availability.
How severe is CVE-2025-63783?
CVE-2025-63783 has a CVSS score of 7.6/10 (HIGH severity). The EPSS model estimates a 0.25% probability of exploitation in the next 30 days.
How do I fix CVE-2025-63783?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-63783?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST