CVE-2025-63784

Name of the Vulnerable Software and Affected Versions Onlook web application version 0.2.32

Description An Open Redirect issue exists in the OAuth callback handler located in the file onlook/apps/web/client/src/app/auth/callback/route.ts. The application improperly validates the X-Forwarded-Host header when building a redirect URL. An attacker can exploit this by sending a crafted X-Forwarded-Host header, potentially redirecting an authenticated user to a malicious website for phishing attacks.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider implementing strict validation of the X-Forwarded-Host header to prevent manipulation.