ByteOS Network

NVD Vulnerability Details :

CVE-2025-63783

Awaiting Analysis

Source-cve@mitre.org

Published At-07 Nov, 2025 | 16:15

Updated At-12 Nov, 2025 | 17:15

A Broken Object Level Authorization (BOLA) vulnerability was discovered in the tRPC project mutation APIs (update, delete, add/remove tag) of the Onlook web application 0.2.32. The vulnerability exists because the API fails to verify the ownership or membership of the currently authenticated user for the requested project ID. An authenticated attacker can send a malicious request containing another user's project ID to unlawfully modify, delete, or manipulate tags on that project, which can severely compromise data integrity and availability.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	7.6	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

Type: Secondary

Version: 3.1

Base score: 7.6

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

Weaknesses

CWE ID	Type	Source
CWE-20	Secondary	134c704f-9b21-4f2e-91b3-4a467353bcc0

CWE ID: CWE-20

Type: Secondary

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

References

Hyperlink	Source	Resource
https://blog.soohyun.tech/CVE-2025-63783-IDOR-in-Onlook-27a557175d2e8061a3dbc931da53f095	cve@mitre.org	N/A
https://tossbank.notion.site/IDOR-in-onlook-27a557175d2e8061a3dbc931da53f095	cve@mitre.org	N/A

Hyperlink: https://blog.soohyun.tech/CVE-2025-63783-IDOR-in-Onlook-27a557175d2e8061a3dbc931da53f095

Source: cve@mitre.org

Resource: N/A

Hyperlink: https://tossbank.notion.site/IDOR-in-onlook-27a557175d2e8061a3dbc931da53f095

Source: cve@mitre.org

Resource: N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History