CVE-2025-48757

CRITICAL

Lovable <2025-04-15 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2025-48757. PoCs published by Farenhytee, Omji-krypto, git-akki.

AI-analyzed exploit summary This repository is a technical writeup and documentation for a database security auditing tool called 'Database Sentinel'. It provides detailed analysis of security vulnerabilities, anti-patterns, and remediation steps for databases like Supabase, MongoDB, and others. The content includes structured documentation, detection methods, and fix templates, but does not contain functional exploit code.

Description

An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to arbitrary database tables of generated sites. NOTE: this is disputed by the Supplier because each individual customer of the Lovable platform accepts a responsibility over protecting the data of their application.

Exploits (4)

nomisec WRITEUP 12 stars

by Farenhytee · poc

https://github.com/Farenhytee/database-sentinel

View Code ZIP pw:eip

This repository is a technical writeup and documentation for a database security auditing tool called 'Database Sentinel'. It provides detailed analysis of security vulnerabilities, anti-patterns, and remediation steps for databases like Supabase, MongoDB, and others. The content includes structured documentation, detection methods, and fix templates, but does not contain functional exploit code.

Classification

Writeup 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Theoretical

Target: Supabase, MongoDB, Firebase, PostgreSQL, MySQL

No auth needed

Prerequisites: Access to database configuration · Knowledge of database security best practices

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Apr 30, 2026 Full analysis →

nomisec SCANNER

by Omji-krypto · poc

https://github.com/Omji-krypto/db-fortress

View Code ZIP pw:eip

This repository contains a security scanning tool called 'db-fortress' designed to detect misconfigurations and vulnerabilities in Supabase Edge Functions and Postgres databases. It includes features like JWT probing, source code scanning for hardcoded credentials, and supply chain drift detection.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Supabase Edge Functions and Postgres databases

Auth required

Prerequisites: SUPABASE_ACCESS_TOKEN with read:functions permission for active JWT probing · Postgres access for supply chain drift scanning

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed May 12, 2026 Full analysis →

nomisec WRITEUP

by git-akki · poc

https://github.com/git-akki/cso-vibecheck

View Code ZIP pw:eip

This repository provides a comprehensive security audit framework for AI-generated applications, focusing on common vulnerabilities like exposed secrets, BOLA, and misconfigurations. It includes detailed checks, incident references, and remediation templates but does not contain functional exploit code.

Classification

Writeup 95%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: AI-generated applications (Cursor, Lovable, Bolt, Replit, v0, Claude-built)

No auth needed

Prerequisites: access to the target application's codebase

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed May 01, 2026 Full analysis →

nomisec WRITEUP

by Farenhytee · poc

https://github.com/Farenhytee/supabase-sentinel

View Code ZIP pw:eip

This repository provides a comprehensive security auditing tool for Supabase projects, detailing vulnerability patterns, detection methods, and remediation steps. It includes technical analysis of CVE-2025-48757 and other security risks, but does not contain functional exploit code.

Classification

Writeup 95%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: Supabase projects

Auth required

Prerequisites: Supabase project access · Supabase credentials

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Mar 16, 2026 Full analysis →

References (5)

Core 5

Core References

Various Sources

https://docs.lovable.dev/changelog

Various Sources

https://gist.github.com/lhchavez/625ee42a6c408a850d35e50f8e649de9

Various Sources

https://mattpalmer.io/posts/CVE-2025-48757/

Various Sources

https://mattpalmer.io/posts/statement-on-CVE-2025-48757/

Various Sources

https://x.com/danialasaria/status/1911862269996118272

Scores

CVSS v3 9.3

EPSS 0.0020

EPSS Percentile 42.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (1)

Lovable/Lovable < 2025-04-15

Published May 30, 2025

Tracked Since Feb 18, 2026