CVE-2025-63784 identifies an Open Redirect vulnerability in the OAuth callback handler of the Onlook web application, specifically in the file onlook/apps/web/client/src/app/auth/callback/route.ts, version 0.2.32. The vulnerability stems from the application's improper handling of the X-Forwarded-Host HTTP header, which it trusts without validation when constructing redirect URLs after OAuth authentication. This allows a remote attacker to craft requests with a manipulated X-Forwarded-Host header, causing the application to redirect authenticated users to arbitrary external websites controlled by the attacker. Such redirection can be exploited for phishing attacks, where users may be tricked into divulging sensitive information or credentials. The vulnerability is categorized under CWE-601 (Open Redirect). The CVSS v3.1 base score is 6.5, reflecting a medium severity level, with attack vector as network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), but high impact on availability (A:H). However, the availability impact here likely refers to potential denial or disruption caused by malicious redirects. No patches or known exploits are currently documented. The vulnerability highlights a common security oversight in trusting HTTP headers that can be manipulated by attackers, especially in OAuth flows where redirect URLs are critical for security. Proper validation and sanitization of redirect targets are essential to prevent exploitation.

For European organizations, this vulnerability poses a significant risk primarily in the form of phishing attacks that can lead to credential theft, unauthorized access, and potential session hijacking. Since the vulnerability allows redirection of authenticated users to attacker-controlled sites, it undermines user trust and can facilitate social engineering campaigns. Organizations relying on the Onlook web application for OAuth-based authentication workflows may see increased risk of targeted phishing, especially in sectors handling sensitive data such as finance, healthcare, and government. The impact on availability is less direct but could manifest if attackers use the redirect to disrupt normal user workflows or launch denial-of-service style attacks via redirection loops or malicious payloads. The medium CVSS score indicates a moderate risk, but the real-world impact depends on the extent of Onlook’s deployment and the sophistication of phishing campaigns. European GDPR regulations also impose strict requirements on protecting user data, so exploitation could lead to regulatory penalties and reputational damage.

To mitigate this vulnerability, European organizations using Onlook 0.2.32 should immediately implement strict validation of the X-Forwarded-Host header and any redirect URLs in the OAuth callback handler. Specifically, the application should only allow redirects to a predefined whitelist of trusted domains and reject or sanitize any unrecognized or external URLs. Employing URL parsing libraries to verify the host component and enforcing HTTPS schemes can reduce risk. Additionally, organizations should monitor HTTP headers for suspicious manipulations and implement web application firewalls (WAFs) with rules targeting open redirect patterns. User education and phishing awareness training are critical to reduce the success of social engineering attacks exploiting this vulnerability. Regularly updating the Onlook application to versions that address this issue once available is essential. Finally, logging and alerting on unusual redirect patterns can help detect exploitation attempts early.