CVE-2025-63783 identifies a Broken Object Level Authorization (BOLA) vulnerability affecting the tRPC project mutation APIs (specifically update, delete, add/remove tag operations) in the Onlook web application version 0.2.32. The root cause is the failure of the API to verify whether the authenticated user owns or is a member of the project identified by the project ID in the request. This lack of proper authorization checks allows an authenticated attacker to craft malicious API requests referencing project IDs belonging to other users. Consequently, the attacker can unlawfully modify project data, delete projects, or alter tags, severely compromising the integrity and availability of project information. The vulnerability is exploitable remotely over the network (AV:N), requires low attack complexity (AC:L), and only requires privileges of an authenticated user (PR:L) but no additional user interaction (UI:N). The scope remains unchanged (S:U), and the impact affects confidentiality and integrity to a low degree but availability to a high degree, resulting in an overall CVSS v3.1 score of 7.6 (high severity). No patches are currently available, and no known exploits have been observed in the wild. The vulnerability is classified under CWE-20 (Improper Input Validation), highlighting the failure to validate user authorization on object access. This issue underscores the importance of implementing robust object-level authorization controls in APIs, especially in collaborative project management applications like Onlook.

For European organizations using the Onlook web application, this vulnerability poses a significant risk to project data integrity and availability. Unauthorized modification or deletion of project data can disrupt business operations, cause loss of critical information, and potentially lead to compliance violations if sensitive project details are altered or erased. The ability for an attacker with valid credentials to manipulate other users' projects undermines trust in the application and may facilitate further attacks or data leakage. Industries relying on Onlook for collaborative project management, such as software development, engineering, or consultancy firms, could experience operational downtime and reputational damage. Additionally, organizations subject to strict data protection regulations like GDPR may face legal consequences if the vulnerability leads to unauthorized data manipulation. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability becomes widely known.

To mitigate CVE-2025-63783, organizations should implement strict object-level authorization checks within the Onlook application APIs, ensuring that any request to modify, delete, or tag a project verifies the authenticated user's ownership or membership of the project. Until an official patch is released, administrators should consider restricting access to the affected APIs to trusted users only and monitor API logs for suspicious activity involving project IDs not owned by the requester. Employing Web Application Firewalls (WAFs) with custom rules to detect anomalous API requests referencing unauthorized project IDs can provide additional protection. Organizations should also enforce the principle of least privilege, limiting user permissions to only necessary projects. Regular security audits and penetration testing focused on authorization controls can help identify similar weaknesses. Finally, maintain close communication with the Onlook vendor for updates and apply patches immediately upon release.