CVE-2025-48757: Lovable Data Exposure
The most significant vibe coding security incident to date. Over 170 applications built with Lovable exposed sensitive user data through missing Supabase Row Level Security policies.
What Happened
In mid-2025, security researchers discovered that applications generated by Lovable (formerly GPT Engineer), a popular AI app builder, were systematically deploying with misconfigured Supabase databases. The core issue was that Lovable's AI code generation consistently failed to implement Row Level Security (RLS) policies on Supabase tables.
Supabase exposes a public REST API (PostgREST) that allows direct database queries using the anon key. This is by design — Supabase anon keys are intended to be public, with security enforced through RLS policies. However, when Lovable generated database schemas and application code, it either left RLS disabled entirely or created tables without any security policies.
This meant that anyone who found a Lovable-generated app's Supabase URL and anon key (both embedded in the client-side JavaScript bundle) could query every table in the database directly, bypassing any application-level authentication. The anon key and Supabase URL are not secrets — they are designed to be public — but without RLS policies, there was no security layer at all.
Incident Timeline
Technical Details
The Root Cause: Missing RLS Policies
Supabase uses PostgreSQL's Row Level Security feature to control access to database rows. When RLS is enabled on a table, access is denied by default unless a policy explicitly grants it. This is the primary security mechanism for Supabase applications.
Lovable's code generation created tables like this:
-- What Lovable generated (VULNERABLE)
CREATE TABLE user_profiles (
id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
user_id UUID REFERENCES auth.users(id),
email TEXT,
full_name TEXT,
phone TEXT,
created_at TIMESTAMPTZ DEFAULT now()
);
-- RLS was NOT enabled
-- No policies were created
-- Anyone with the anon key could SELECT * FROM user_profilesThe correct implementation should have included:
-- What SHOULD have been generated (SECURE)
ALTER TABLE user_profiles ENABLE ROW LEVEL SECURITY;
CREATE POLICY "Users can view own profile"
ON user_profiles FOR SELECT
TO authenticated
USING ((select auth.uid()) = user_id);
CREATE POLICY "Users can update own profile"
ON user_profiles FOR UPDATE
TO authenticated
USING ((select auth.uid()) = user_id);Attack Vector
Exploiting this vulnerability required no special tools or expertise. An attacker could:
View the page source or network requests of any Lovable-generated app to find the Supabase URL and anon key (these are always in the client bundle)
Use the Supabase REST API directly with a simple curl command or the Supabase JS client to query any table
Read, modify, or delete any data in the database — including user profiles, payment information, private messages, and application data
# Simple exploitation — no auth needed
curl 'https://[project].supabase.co/rest/v1/user_profiles?select=*' \
-H "apikey: [anon-key-from-page-source]" \
-H "Authorization: Bearer [anon-key-from-page-source]"Impact
Personal Data Exposure
User emails, names, phone numbers, and addresses were readable by anyone. Some apps stored sensitive health or financial data.
Data Manipulation
Without RLS, attackers could not only read but also modify or delete data, potentially corrupting entire databases.
Authentication Bypass
Application-level auth checks were meaningless because attackers queried the database directly, bypassing the frontend entirely.
Widespread Scope
170+ confirmed apps affected across SaaS products, marketplaces, booking systems, and internal tools built with Lovable.
Root Cause Analysis
CVE-2025-48757 is emblematic of a systemic problem in AI code generation: LLMs optimize for functional correctness, not security. The generated code worked — users could sign up, log in, and use the application. But the security layer that protects multi-tenant data was consistently omitted.
AI Training Data Gaps
Many Supabase tutorials and examples in the LLM training data show basic CRUD operations without RLS setup. The AI learned to create functional apps but not secure ones.
No Security Validation Layer
Lovable had no automated check to verify that generated Supabase schemas included RLS policies. The AI output went directly to deployment without security review.
User Trust in AI Output
Lovable's target audience is non-technical users who trust the AI to handle security. Unlike experienced developers who would check for RLS, Lovable users had no way to know their data was exposed.
How VAS Detects This Issue
Vibe App Scanner specifically checks for the patterns that led to CVE-2025-48757:
Detects Supabase configuration in client-side JavaScript bundles
Identifies exposed Supabase URLs and verifies they are properly secured with RLS
Tests direct REST API access to detect tables without RLS policies
Checks for common Lovable-generated patterns that indicate missing security configuration
Flags applications where the anon key grants broader access than intended
Provides specific remediation guidance with SQL commands to enable RLS
Prevention Steps
Always Enable RLS on Every Table
Run ALTER TABLE my_table ENABLE ROW LEVEL SECURITY on every table in your Supabase project, even tables you think are public.
Create Explicit Policies
Define policies for SELECT, INSERT, UPDATE, and DELETE operations. Use (select auth.uid()) = user_id pattern for user-scoped data.
Audit AI-Generated Database Schemas
Never trust AI-generated database code without reviewing security configuration. Check for RLS, policies, and proper role assignments.
Test with the Anon Key
Try querying your Supabase tables using only the anon key. If you can read data you shouldn't be able to, RLS is not working.
Use Supabase Dashboard Security Advisor
Supabase provides built-in security warnings for tables without RLS. Check the Dashboard regularly for security advisories.
Scan Before Deploying
Use automated scanning tools like VAS to check your deployed application for exposed database access before going live.
Is Your App Vulnerable to CVE-2025-48757?
If you built your app with Lovable, Bolt, or any AI tool that uses Supabase, scan it now to check for missing RLS policies and exposed data.
Scan Your AppFrequently Asked Questions
What is CVE-2025-48757?
CVE-2025-48757 is a critical vulnerability in applications generated by Lovable where Supabase Row Level Security (RLS) policies were not properly configured, allowing unauthenticated users to read, modify, or delete data from any table in the database. It received a CVSS score of 9.8 (Critical).
How many apps were affected by CVE-2025-48757?
Over 170 publicly accessible applications built with Lovable were confirmed to have exposed databases due to missing or misconfigured RLS policies. The actual number may be higher as many Lovable apps are deployed privately.
Is my Lovable app vulnerable to CVE-2025-48757?
If your app was built with Lovable and uses Supabase, you should verify that RLS is enabled on all tables and that appropriate policies exist for each operation. Check your Supabase dashboard under Authentication > Policies, or use Vibe App Scanner to detect exposed endpoints.
Are Supabase anon keys a security risk?
No. Supabase anon keys are designed to be public and included in client-side code. Security is enforced by Row Level Security (RLS) policies at the database level. The problem in CVE-2025-48757 was not the exposed key — it was the missing RLS policies that should have restricted what the key could access.
Last updated: February 2026