A Broken Object Level Authorization (BOLA) vulnerability was discovered in the tRPC project mutation APIs (update, delete, add/remove tag) of the Onlook web application 0.2.32. The vulnerability exists because the API fails to verify the ownership or membership of the currently authenticated user for the requested project ID. An authenticated attacker can send a malicious request containing another user's project ID to unlawfully modify, delete, or manipulate tags on that project, which can severely compromise data integrity and availability.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Onlook |
|
No data.
No data.
References
History
Mon, 10 Nov 2025 09:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Onlook
Onlook onlook |
|
| Vendors & Products |
Onlook
Onlook onlook |
Fri, 07 Nov 2025 16:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A Broken Object Level Authorization (BOLA) vulnerability was discovered in the tRPC project mutation APIs (update, delete, add/remove tag) of the Onlook web application 0.2.32. The vulnerability exists because the API fails to verify the ownership or membership of the currently authenticated user for the requested project ID. An authenticated attacker can send a malicious request containing another user's project ID to unlawfully modify, delete, or manipulate tags on that project, which can severely compromise data integrity and availability. | |
| References |
|
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2025-11-07T00:00:00.000Z
Updated: 2025-11-07T16:00:11.579Z
Reserved: 2025-10-27T00:00:00.000Z
Link: CVE-2025-63783
Vulnrichment
No data.
NVD
Status : Received
Published: 2025-11-07T16:15:42.943
Modified: 2025-11-07T16:15:42.943
Link: CVE-2025-63783
Redhat
No data.