CVE-2025-63783
📋 TL;DR
This Broken Object Level Authorization vulnerability in Onlook web application allows authenticated attackers to modify, delete, or manipulate tags on other users' projects by sending requests with unauthorized project IDs. The vulnerability affects all users of Onlook 0.2.32 who have project data in the system. Attackers can compromise data integrity and availability through unauthorized project manipulation.
💻 Affected Systems
- Onlook web application
📦 What is this software?
Onlook by Onlook
⚠️ Risk & Real-World Impact
Worst Case
Complete loss of project data integrity through mass deletion/modification of all user projects, leading to data corruption, service disruption, and potential business impact.
Likely Case
Targeted attacks against specific users' projects resulting in unauthorized modifications, data loss, or tag manipulation that could affect project organization and functionality.
If Mitigated
Limited to authenticated users only, with proper logging allowing detection and investigation of unauthorized access attempts.
🎯 Exploit Status
Exploitation requires valid authentication credentials but minimal technical skill. Public blog posts demonstrate the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Implement authorization checks in tRPC mutation APIs to verify user ownership/membership for requested project IDs.
🔧 Temporary Workarounds
Implement API-level authorization middleware
allAdd authorization checks before processing project mutation requests to verify the authenticated user has proper permissions for the requested project ID.
Rate limiting and monitoring
allImplement rate limiting on project mutation endpoints and enhance logging to detect suspicious access patterns.
🧯 If You Can't Patch
- Implement network segmentation to restrict access to the Onlook application to trusted users only
- Enable detailed audit logging for all project mutation operations and monitor for unauthorized access patterns
🔍 How to Verify
Check if Vulnerable:
Test authenticated API calls to project mutation endpoints with unauthorized project IDs. If requests succeed without proper authorization checks, the system is vulnerable.Check Version:
Check package.json or application version endpoint for Onlook version 0.2.32Verify Fix Applied:
Verify that API endpoints now check user permissions for requested project IDs and reject unauthorized requests with appropriate error responses.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authorization attempts for project mutations
- Successful project mutations from users not associated with the project
- Rapid sequence of project update/delete operations
Network Indicators:
- Unusual patterns of POST/PUT/DELETE requests to project mutation endpoints
- Requests containing project IDs not associated with the authenticated user
SIEM Query:
source="onlook_app" AND (action="project_update" OR action="project_delete" OR action="project_tag") AND user_id NOT IN project_members