Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-48757

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-30 May, 2025 | 00:00
Updated At-21 Aug, 2025 | 02:28
Rejected At-
Credits

An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to arbitrary database tables of generated sites. NOTE: this is disputed by the Supplier because each individual customer of the Lovable platform accepts a responsibility over protecting the data of their application.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:30 May, 2025 | 00:00
Updated At:21 Aug, 2025 | 02:28
Rejected At:
▼CVE Numbering Authority (CNA)

An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to arbitrary database tables of generated sites. NOTE: this is disputed by the Supplier because each individual customer of the Lovable platform accepts a responsibility over protecting the data of their application.

Affected Products
Vendor
Lovable
Product
Lovable
Default Status
unknown
Versions
Affected
  • From 0 through 2025-04-15 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-863CWE-863 Incorrect Authorization
Type: CWE
CWE ID: CWE-863
Description: CWE-863 Incorrect Authorization
Metrics
VersionBase scoreBase severityVector
3.19.3CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Version: 3.1
Base score: 9.3
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://docs.lovable.dev/changelog
N/A
https://mattpalmer.io/posts/CVE-2025-48757/
N/A
https://gist.github.com/lhchavez/625ee42a6c408a850d35e50f8e649de9
N/A
https://x.com/danialasaria/status/1911862269996118272
N/A
https://mattpalmer.io/posts/statement-on-CVE-2025-48757/
N/A
Hyperlink: https://docs.lovable.dev/changelog
Resource: N/A
Hyperlink: https://mattpalmer.io/posts/CVE-2025-48757/
Resource: N/A
Hyperlink: https://gist.github.com/lhchavez/625ee42a6c408a850d35e50f8e649de9
Resource: N/A
Hyperlink: https://x.com/danialasaria/status/1911862269996118272
Resource: N/A
Hyperlink: https://mattpalmer.io/posts/statement-on-CVE-2025-48757/
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://gist.github.com/lhchavez/625ee42a6c408a850d35e50f8e649de9
exploit
Hyperlink: https://gist.github.com/lhchavez/625ee42a6c408a850d35e50f8e649de9
Resource:
exploit
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:30 May, 2025 | 03:15
Updated At:21 Aug, 2025 | 03:15

An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to arbitrary database tables of generated sites. NOTE: this is disputed by the Supplier because each individual customer of the Lovable platform accepts a responsibility over protecting the data of their application.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.3CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 9.3
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-863Secondarycve@mitre.org
CWE ID: CWE-863
Type: Secondary
Source: cve@mitre.org
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://docs.lovable.dev/changelogcve@mitre.org
N/A
https://gist.github.com/lhchavez/625ee42a6c408a850d35e50f8e649de9cve@mitre.org
N/A
https://mattpalmer.io/posts/CVE-2025-48757/cve@mitre.org
N/A
https://mattpalmer.io/posts/statement-on-CVE-2025-48757/cve@mitre.org
N/A
https://x.com/danialasaria/status/1911862269996118272cve@mitre.org
N/A
https://gist.github.com/lhchavez/625ee42a6c408a850d35e50f8e649de9134c704f-9b21-4f2e-91b3-4a467353bcc0
N/A
Hyperlink: https://docs.lovable.dev/changelog
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://gist.github.com/lhchavez/625ee42a6c408a850d35e50f8e649de9
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://mattpalmer.io/posts/CVE-2025-48757/
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://mattpalmer.io/posts/statement-on-CVE-2025-48757/
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://x.com/danialasaria/status/1911862269996118272
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://gist.github.com/lhchavez/625ee42a6c408a850d35e50f8e649de9
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

2Records found
CVE-2021-21276
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-18.53% / 95.00%
||
7 Day CHG~0.00%
Published-01 Feb, 2021 | 00:00
Updated-03 Aug, 2024 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Privilege escalation in Polr

Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability exists regardless of users' settings. If an attacker crafts a request with specific cookie headers to the /setup/finish endpoint, they may be able to obtain admin privileges on the instance. This is caused by a loose comparison (==) in SetupController that is susceptible to attack. The project has been patched to ensure that a strict comparison (===) is used to verify the setup key, and that /setup/finish verifies that no users table exists before performing any migrations or provisioning any new accounts. This is fixed in version 2.3.0. Users can patch this vulnerability without upgrading by adding abort(404) to the very first line of finishSetup in SetupController.php.

Action-Not Available
Vendor-polrprojectcydrobolt
Product-polrpolr
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-22157
Matching Score-4
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Juniper Networks, Inc.
CVSS Score-7.2||HIGH
EPSS-0.24% / 47.30%
||
7 Day CHG~0.00%
Published-19 Jan, 2022 | 00:21
Updated-17 Sep, 2024 | 04:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Junos OS: SRX Series: Traffic classification vulnerability when 'no-syn-check' is enabled

A traffic classification vulnerability in Juniper Networks Junos OS on the SRX Series Services Gateways may allow an attacker to bypass Juniper Deep Packet Inspection (JDPI) rules and access unauthorized networks or resources, when 'no-syn-check' is enabled on the device. JDPI incorrectly classifies out-of-state asymmetric TCP flows as the dynamic-application INCONCLUSIVE instead of UNKNOWN, which is more permissive, causing the firewall to allow traffic to be forwarded that should have been denied. This issue only occurs when 'set security flow tcp-session no-syn-check' is configured on the device. This issue affects Juniper Networks Junos OS on SRX Series: 18.4 versions prior to 18.4R2-S9, 18.4R3-S9; 19.1 versions prior to 19.1R2-S3, 19.1R3-S6; 19.2 versions prior to 19.2R1-S7, 19.2R3-S3; 19.3 versions prior to 19.3R2-S6, 19.3R3-S2; 19.4 versions prior to 19.4R2-S5, 19.4R3-S3; 20.1 versions prior to 20.1R2-S2, 20.1R3; 20.2 versions prior to 20.2R3-S1; 20.3 versions prior to 20.3R3; 20.4 versions prior to 20.4R2-S1, 20.4R3; 21.1 versions prior to 21.1R1-S1, 21.1R2. This issue does not affect Juniper Networks Junos OS versions prior to 18.4R1.

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-junosJunos OS
CWE ID-CWE-863
Incorrect Authorization
Details not found