Lovable, a popular example of the so-called vibe-coding platforms, allowed unauthorized users to access sensitive user information.
“On March 20th, 2025, my colleague and I discovered a critical vulnerability in Lovable's implementation of Row Level Security (RLS) policies,” Matt Palmer from Replit, an AI coding assistant company, tweeted.
The vulnerability, CVE-2025-48757, was described as critical, and allegedly affects any Lovable project that uses a database created on or before April 15th.
The flaw is described as an incorrect authorization and stems from missing or insufficient RLS policies on databases.
“Lovable later introduced a "security scanner," but it merely checks for the existence of any RLS policy, not its correctness or alignment with application logic. This provides a false sense of security, failing to detect the misconfigurations that expose data,” he posted on X.
The vulnerability was independently discovered by software engineer Danial Asaria.
“I just hacked multiple @lovable_dev 'top launched' sites. Wait – what?” Asaria tweeted.
In less than an hour, Asaria allegedly extracted the following information from live production apps:
- Personal debt amounts
- Home addresses
- API keys (admin access)
- Spicy prompts
“Be cautious which 'vibe coder' you trust with your personal data,” Asaria added.
Lovable responded to the findings by saying it was now “significantly better at building secure apps than a few months ago.”
Sweden’s Lovable is on a rapid growth trajectory. Vibe coding is becoming a blessing and a curse for many developers, who are pressured to improve and finish projects at a breakneck speed. Hence, it is also enjoying (and suffering) an increased spotlight in the mainstream media.
Just a few months ago, Lovable was criticized as the easiest tool for creating phishing scams when compared to ChatGPT and Claude.
Your email address will not be published. Required fields are markedmarked