Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-63785

CVE-2025-63785: Onlook Web Application XSS Vulnerability

CVE-2025-63785 is a DOM-based cross-site scripting vulnerability in Onlook web application 0.2.32 that allows attackers to inject malicious scripts through the text editor. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-63785 Overview

CVE-2025-63785 is a DOM-based Cross-Site Scripting (XSS) vulnerability in the text editor feature of the Onlook web application version 0.2.32. The flaw occurs because user-supplied input is not sanitized before being injected into the DOM via innerHTML when a user edits a text element. An attacker can inject malicious HTML and script code that executes within the context of the preview iframe. Successful exploitation allows arbitrary script execution in the victim's browser session. The vulnerability is categorized under [CWE-20: Improper Input Validation].

Critical Impact

Arbitrary script execution within the preview iframe context, enabling session-scoped attacks against users of Onlook 0.2.32.

Affected Products

  • Onlook web application version 0.2.32
  • CPE: cpe:2.3:a:onlook:onlook:0.2.32:*:*:*:*:*:*:*
  • Component: onlook:onlook

Discovery Timeline

  • 2025-11-07 - CVE-2025-63785 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-63785

Vulnerability Analysis

The vulnerability is a DOM-based XSS flaw in Onlook's text editor feature. When a user edits a text element, the application takes the input string and assigns it directly to an element's innerHTML property. Because the input is not sanitized or encoded, any HTML markup, including <script> tags and event-handler attributes such as onerror and onload, becomes active DOM content. The injected payload runs inside the preview iframe, where it can access iframe-scoped storage, cookies, and application state. User interaction is required to trigger the sink, which aligns with the CVSS user-interaction requirement. Detailed analysis is available in the Soohyun Blog CVE-2025-63785 Analysis and the Toss Bank DOM XSS Report.

Root Cause

The root cause is unsafe use of the innerHTML sink in the text editor code path. The application treats untrusted editor content as trusted markup instead of plain text. Safer alternatives such as textContent or a DOM sanitizer library were not applied before assignment.

Attack Vector

An attacker crafts a text element containing HTML or JavaScript payloads and induces a victim to load or edit that content in Onlook. Because the scope changes to the preview iframe, the injected code runs with the privileges of the rendered preview context. The referenced analyses describe payload construction and execution flow within the Onlook editor.

Detection Methods for CVE-2025-63785

Indicators of Compromise

  • Unexpected <script>, <img onerror=...>, or <svg onload=...> markup persisted in Onlook project text elements or exported artifacts.
  • Outbound requests from the preview iframe to attacker-controlled domains that do not match legitimate Onlook asset hosts.
  • Browser console errors or Content Security Policy (CSP) violations originating from the Onlook preview iframe.

Detection Strategies

  • Review Onlook project text content for HTML tags or JavaScript event handlers that should not exist in user-authored copy.
  • Inspect application logs and browser telemetry for anomalous DOM mutations or script execution inside the preview iframe.
  • Add runtime checks that flag assignments to innerHTML containing <script>, on*= handlers, or javascript: URIs.

Monitoring Recommendations

  • Enable CSP reporting on the Onlook host and forward violation reports to a central logging pipeline.
  • Monitor egress traffic from user browsers to unexpected domains that could indicate exfiltration from a compromised session.
  • Track version inventory to confirm no instances of Onlook 0.2.32 remain deployed after remediation.

How to Mitigate CVE-2025-63785

Immediate Actions Required

  • Upgrade Onlook to a version later than 0.2.32 once the vendor publishes a fixed release.
  • Restrict access to Onlook instances so only trusted users can edit or import text elements until a patch is applied.
  • Advise users not to open or import Onlook projects from untrusted sources.

Patch Information

No vendor advisory URL is listed in the NVD entry at publication. Consult the Onlook project repository and the referenced Soohyun Blog CVE-2025-63785 Analysis for remediation status and fix commits. Apply the fix by replacing innerHTML assignments with textContent or by routing input through a vetted HTML sanitizer such as DOMPurify.

Workarounds

  • Enforce a strict Content Security Policy on the preview iframe that disallows inline scripts and unsafe-eval.
  • Sandbox the preview iframe with the sandbox attribute and omit allow-scripts where feasible for review workflows.
  • Validate and reject text-element input containing HTML tags or event-handler attributes at the application layer.
bash
# Example CSP header to restrict script execution in the preview iframe
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'self'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.