CVE-2025-48757 · Lovable Missing RLS Exposure
Severity: high · Published: 2025-06-14 · CVE-2025-48757
CVE-2025-48757 documented a systemic pattern where Lovable-generated Supabase backends shipped without Row Level Security enabled on public tables · leaving user data readable by anyone with the project's anon key (which is public by design). Researchers found the issue affected a large fraction of publicly-deployed Lovable projects.
Affected
- Lovable projects using Supabase backend created before June 2025
- Any public.* table with RLS off or with `USING (true)` policies
- Applies regardless of Lovable app version · it's a configuration class, not a code bug
Impact
Full read access to affected tables via the public anon key. In some cases, insert/update/delete access too. Sensitive columns like email addresses, order histories, and private notes were exposed. The anon key is embedded in every deployed frontend, so no authentication was needed to exploit.
Fix
- Run SimplyScan against your deployed URL · we detect the exact pattern in 30 seconds.
- In Supabase Studio, list every public.* table and confirm RLS is enabled on each.
- For each table, replace `USING (true)` policies with `USING (user_id = auth.uid())` or an equivalent scoped rule.
- Add `GRANT SELECT, INSERT, UPDATE, DELETE ON <table> TO authenticated;` if missing · required after enabling RLS.
- Rotate the anon key only after remediating · rotation without fixing RLS just moves the problem.
Check your app →