CVE-2025-63785 identifies a DOM-based Cross-Site Scripting vulnerability in the Onlook web application version 0.2.32, specifically within its text editor feature. The vulnerability occurs because the application directly injects user-supplied input into the DOM using innerHTML without proper sanitization or encoding. This unsafe practice allows an attacker to craft malicious HTML or JavaScript payloads that execute within the context of the preview iframe, which is part of the application's user interface. When a victim interacts with the text editor or previews content, the malicious script runs with the same privileges as the legitimate application, potentially allowing session hijacking, theft of sensitive information, or execution of unauthorized actions. The vulnerability is DOM-based, meaning the attack vector is client-side and does not necessarily require server-side code injection. No CVSS score has been assigned yet, and no public exploits are known, but the vulnerability is published and recognized by MITRE. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for immediate mitigation steps. This vulnerability highlights the risks of unsafe DOM manipulation methods such as innerHTML when handling untrusted input in modern web applications.

For European organizations, the impact of this DOM-based XSS vulnerability can be significant, especially for those relying on the Onlook web application or similar platforms for content editing or collaboration. Exploitation could lead to unauthorized access to user sessions, enabling attackers to impersonate users, steal sensitive data, or perform actions on their behalf. This compromises confidentiality and integrity of user data and may also affect availability if attackers use the vulnerability to inject disruptive scripts. Organizations in sectors such as finance, healthcare, government, and critical infrastructure, where data confidentiality and integrity are paramount, are particularly at risk. Additionally, the client-side nature of the attack means that users accessing the vulnerable application from any device could be targeted, increasing the attack surface. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability becomes widely known.

To mitigate this vulnerability, organizations should immediately audit the Onlook web application’s text editor feature and any similar components that handle user input. Developers must replace unsafe DOM manipulation methods like innerHTML with safer alternatives such as textContent or use well-maintained libraries that automatically sanitize input. Implementing a robust Content Security Policy (CSP) can help restrict the execution of unauthorized scripts. Input validation and output encoding should be enforced rigorously on all user-supplied data before it is rendered in the DOM. Organizations should monitor for updates or patches from the Onlook application maintainers and apply them promptly once available. Additionally, educating users about the risks of interacting with untrusted content and employing web application firewalls (WAFs) with XSS detection capabilities can provide additional layers of defense. Regular security testing, including client-side code reviews and penetration testing focused on DOM-based XSS, is recommended to identify and remediate similar issues proactively.