CVE-2025-63783 identifies a Broken Object Level Authorization (BOLA) vulnerability in the tRPC project mutation APIs (specifically update, delete, add/remove tag operations) of the Onlook web application version 0.2.32. The vulnerability arises because the API does not properly verify whether the authenticated user owns or is a member of the project identified by the project ID in the request. Consequently, an attacker who is authenticated can craft malicious requests referencing project IDs belonging to other users, thereby gaining unauthorized ability to modify project data, delete projects, or manipulate project tags. This bypass of authorization controls undermines the integrity and availability of project data, potentially leading to data corruption, loss, or unauthorized changes. The vulnerability requires the attacker to be authenticated but does not require additional user interaction, making exploitation relatively straightforward once credentials are obtained. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The lack of a CVSS score necessitates an independent severity assessment. The vulnerability is critical in environments where Onlook 0.2.32 is used for project collaboration or management, as unauthorized project modifications can disrupt workflows and compromise trust in data accuracy. The root cause is a failure in enforcing object-level authorization checks on the server side, a common security oversight in APIs that handle multi-tenant data. Remediation requires developers to implement strict ownership or membership verification before processing mutation requests on projects. Additionally, monitoring and logging of suspicious API calls can help detect exploitation attempts. Organizations should audit their use of Onlook and related APIs to assess exposure and prioritize mitigation efforts.

For European organizations, the impact of CVE-2025-63783 can be significant, particularly for those relying on the Onlook web application for project management, collaboration, or data tagging. Unauthorized modification or deletion of project data can lead to loss of critical business information, disruption of project workflows, and potential compliance violations if data integrity is compromised. This can affect confidentiality indirectly if project data includes sensitive information, but the primary impacts are on data integrity and availability. Organizations in sectors such as software development, engineering, research, and any collaborative environments using Onlook are at risk of operational disruption. The ease of exploitation by any authenticated user increases the threat surface, especially if credential compromise or insider threats exist. Although no known exploits are reported yet, the vulnerability's presence in a widely used API framework (tRPC) and a collaborative tool suggests a potential for rapid exploitation once weaponized. The lack of patch availability increases the window of exposure. European organizations must consider the risk of unauthorized data manipulation, potential reputational damage, and the operational costs of recovery from such attacks.

To mitigate CVE-2025-63783, organizations should immediately audit their Onlook web application deployments to identify usage of version 0.2.32 or other vulnerable versions. Developers must implement strict server-side authorization checks that verify the authenticated user's ownership or membership of the project before permitting any mutation operations such as update, delete, or tag modifications. This involves validating the project ID against the user's access rights in the backend logic. Employing role-based access control (RBAC) or attribute-based access control (ABAC) mechanisms can strengthen authorization enforcement. Additionally, organizations should monitor API logs for anomalous requests involving project IDs not associated with the requesting user and establish alerting for suspicious activity. If possible, restrict API access to trusted networks or VPNs to reduce exposure. Regularly update the Onlook application and tRPC framework once patches become available. Conduct security training to raise awareness about the risks of credential compromise since authentication is required for exploitation. Finally, consider implementing multi-factor authentication (MFA) to reduce the risk of unauthorized access.