Security Vulnerability

CVE-2025-48757

The Lovable vulnerability that exposed databases of 170+ apps

Discovered: January 2025 | Published: May 29, 2025

Check If Your App Is Vulnerable
170+
Apps Affected
303
Vulnerable Endpoints
10.3%
Of Lovable Apps Exposed

What Happened

In January 2025, security researcher Matt Palmer (a Replit employee) discovered a widespread security vulnerability affecting applications built with Lovable, a popular AI code generation platform.

The vulnerability stemmed from missing or misconfigured Row Level Security (RLS) policies in Supabase databases. When developers used Lovable to generate apps, the AI would create database tables without properly configuring RLS - leaving user data exposed to anyone who could query the database.

Out of 1,645 Lovable apps scanned, 170 apps (10.3%) had exposed databases with a combined 303 vulnerable API endpoints.

Timeline

January 2025

Matt Palmer discovers the vulnerability while researching AI-generated app security

January-March 2025

Responsible disclosure to Lovable team. Affected app developers notified.

May 29, 2025

CVE-2025-48757 publicly disclosed

August 2025

Lovable achieves SOC 2 Type 2 compliance and ISO 27001:2022 certification

Technical Details

Root Cause: Missing RLS Policies

Lovable uses Supabase as its exclusive backend. When the AI generates database tables, it often fails to:

  1. Enable Row Level Security on tables
  2. Create appropriate RLS policies to restrict access
  3. Properly scope policies to authenticated users

This left tables accessible to anyone with the public anon_key - which is always exposed in the app's JavaScript.

How The Attack Worked

// 1. Attacker finds Supabase URL in the app's JavaScript
const supabaseUrl = "https://xxx.supabase.co"
const anonKey = "eyJ..." // Public anon key (always exposed)

// 2. Creates a Supabase client
const supabase = createClient(supabaseUrl, anonKey)

// 3. Queries tables directly - no RLS means all data returned
const { data } = await supabase.from('users').select('*')
// Returns ALL user data: emails, passwords, payment info...

Without RLS, the database trusts the anon_key and returns all data.

Data Exposed

  • User emails and names
  • Passwords (in some apps that stored plaintext)
  • Financial information and transaction history
  • API keys (OpenAI, Stripe, etc.)
  • Stripe payment data and customer info
  • Admin credentials with service_role access in some cases

Expert Commentary

"This is the single biggest challenge with vibe coding. The most obvious problem is that they're going to build stuff insecurely. We're due for a very rude awakening."

Simon Willison

Veteran Developer & AI Researcher

"Best practice is to avoid letting users access the database directly at all."

Alex Stamos

CISO, SentinelOne

Lovable's Response

To their credit, Lovable has taken steps to address the vulnerability:

Security Scan Feature

Built-in scanner that checks if RLS is enabled (but not if it's correctly configured)

AI Security Review

AI-powered security review tool for generated code

API Key Detection

Warns when API keys are detected in chat

SOC 2 & ISO 27001

Achieved SOC 2 Type 2 and ISO 27001:2022 certification (August 2025)

How to Check If Your App Is Vulnerable

1

Run Lovable's Built-in Security Scan

Go to your Lovable dashboard and run the Security Scan feature. It will tell you if RLS is enabled on your tables.

2

Check Supabase Dashboard

Go to Authentication → Policies in your Supabase dashboard. Every table with user data should have RLS enabled AND have policies defined.

3

Test Your Deployed App

Use Vibe App Scanner to test your deployed application. We'll attempt to access your database without authentication and tell you if data is exposed.

Get Starter Scan

How to Fix the Vulnerability

-- 1. Enable RLS on all tables with user data
ALTER TABLE your_table ENABLE ROW LEVEL SECURITY;

-- 2. Create policies that restrict access to row owners
CREATE POLICY "Users can only access own data"
ON your_table
FOR ALL
TO authenticated
USING ((select auth.uid()) = user_id);

-- 3. Test: This should return 0 rows when run as anonymous
SELECT * FROM your_table;
Read our complete Supabase RLS guide

Frequently Asked Questions

What is CVE-2025-48757?

CVE-2025-48757 is a critical security vulnerability affecting apps built with Lovable. It involves missing or misconfigured Row Level Security (RLS) policies in Supabase databases, which allowed unauthorized access to user data across 170+ applications.

How many apps were affected?

170 out of 1,645 Lovable apps scanned (10.3%) were found to have exposed databases. These 170 apps had 303 vulnerable API endpoints that could be exploited to access user data.

Is my Lovable app safe now?

Not automatically. While Lovable has added security features, existing apps need to be manually reviewed and fixed. You must enable RLS on all tables and create appropriate policies. Use the Security Scan feature in Lovable or scan your app with VAS to check.

Don't Be the Next CVE

Scan your Lovable app to find RLS misconfigurations and other security issues before attackers do.

Get Starter ScanIs Lovable Safe?

Last updated: January 15, 2026