CVE-2025-48757

Name of the Vulnerable Software and Affected Versions Lovable versions prior to 2025-04-15

Description An insufficient database Row-Level Security (RLS) policy allows remote unauthenticated attackers to read or write to arbitrary database tables of generated sites. Row-Level Security is a database feature that restricts which rows of data a user can access based on their identity or role. In this case, missing or misconfigured RLS in Supabase databases used by AI-generated applications often exposes data publicly by default.

Real-world incidents include the exposure of over 170 user-built applications, the exposure of 18,697 student records due to an inverted authentication check, and the exposure of 303 insecure endpoints.

Recommendations For versions prior to 2025-04-15, developers must review and secure the Row-Level Security policies of their Supabase databases to ensure data is not exposed publicly.

As a temporary mitigation, restrict access to the database tables and ensure that RLS is explicitly enabled for all tables containing sensitive user data.