CVE-2025-63785 – A DOM-based XSS vulnerability in Onlook web app... (How to Fix)

Q: What is the severity of CVE-2025-63785?

CVE-2025-63785 has a CVSS score of 6.1 (MEDIUM). A DOM-based XSS vulnerability in Onlook web application 0.2.32 allows attackers to inject malicious scripts through the text editor feature. When users edit text elements, unsanitized input is directly injected into the DOM via innerHTML, executing arbitrary scripts in the user's session context. This affects all users of Onlook web application version 0.2.32.

📋 TL;DR

A DOM-based XSS vulnerability in Onlook web application 0.2.32 allows attackers to inject malicious scripts through the text editor feature. When users edit text elements, unsanitized input is directly injected into the DOM via innerHTML, executing arbitrary scripts in the user's session context. This affects all users of Onlook web application version 0.2.32.

💻 Affected Systems

Products:

Onlook web application

Versions: 0.2.32

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the text editor preview iframe when editing text elements.

📦 What is this software?

Onlook by Onlook

View all CVEs affecting Onlook →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Session hijacking, credential theft, and unauthorized actions within the application using the victim's privileges.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction to edit text elements, but payload execution is straightforward once injected.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Implement workarounds and monitor for vendor updates.

🔧 Temporary Workarounds

Implement Input Sanitization

all

Add server-side and client-side input validation to sanitize HTML/script content before DOM injection.

Enable Content Security Policy

all

Implement strict CSP headers to prevent inline script execution and restrict script sources.

Content-Security-Policy: script-src 'self'

🧯 If You Can't Patch

Disable the text editor feature if not essential for business operations.
Implement web application firewall (WAF) rules to block XSS payload patterns.

🔍 How to Verify

Check if Vulnerable:

Test by injecting <script>alert('XSS')</script> into text editor and checking if it executes in preview.

Check Version:

Check application version in admin panel or package.json for version 0.2.32.

Verify Fix Applied:

Verify that script payloads no longer execute and are properly sanitized/encoded in DOM output.

📡 Detection & Monitoring

Log Indicators:

Unusual script tags or JavaScript in text editor input logs
Multiple failed login attempts from new locations

Network Indicators:

Outbound connections to unknown domains after text editor use
Unexpected POST requests with script payloads

SIEM Query:

source="web_logs" AND (message="*<script>*" OR message="*javascript:*") AND user_agent="*Onlook*"

📊 Metadata

CVE ID: CVE-2025-63785

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-20

EPSS Score: 0.09% exploit probability (26.1th percentile)

Published: November 7, 2025

Last Updated: December 8, 2025

🔗 References

https://blog.soohyun.tech/CVE-2025-63785-DOM-XSS-in-Onlook-27e557175d2e80e1b210c75b77952115 Exploit,Third Party Advisory
https://tossbank.notion.site/DOM-XSS-in-onlook-27e557175d2e80e1b210c75b77952115 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63785, you might also want to check these: