Home > Vulnerability Database > CVE-2025-63783

Mend.io Vulnerability Database

CVE-2025-63783

Date: November 6, 2025

A Broken Object Level Authorization (BOLA) vulnerability was discovered in the tRPC project mutation APIs (update, delete, add/remove tag) of the Onlook web application 0.2.32. The vulnerability exists because the API fails to verify the ownership or membership of the currently authenticated user for the requested project ID. An authenticated attacker can send a malicious request containing another user's project ID to unlawfully modify, delete, or manipulate tags on that project, which can severely compromise data integrity and availability.

Severity Score

7.3

Related Resources (4)

Url: https://blog.soohyun.tech/CVE-2025-63783-IDOR-in-Onlook-27a557175d2e8061a3dbc931da53f095

Url: https://tossbank.notion.site/IDOR-in-onlook-27a557175d2e8061a3dbc931da53f095

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-63783

Url: https://www.mend.io/vulnerability-database/CVE-2025-63783

Severity Score

7.3

Weakness Type (CWE)

Improper Input Validation

CWE-20

CVSS v3.1

Base Score:	7.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-63783

Date: November 6, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?