HIGH · CVSS 8.0
Class vulnerability — Supabase anon_key + DATABASE_URL in client bundle
Server-only DATABASE_URL accidentally prefixed NEXT_PUBLIC_ / PUBLIC_ / VITE_ ships connection string in client bundle.
Affects
- Lovable + Bolt + v0 + Cursor-generated apps with confused env-var prefix
What an attacker does
Attacker scrapes JS bundle, extracts DATABASE_URL, connects to Postgres directly. Bypasses RLS (service-role-equivalent via direct connection).
How to detect
grep -rE 'NEXT_PUBLIC_|VITE_|PUBLIC_' .env files for DATABASE_URL or service-role-equivalent strings
How to fix
Remove public prefix from DATABASE_URL + rotate any exposed credential
Securie findinghigh · CVSS 8.0
CVE-2024-XXXXHow Securie catches CVE-2024-XXXX
Securie's secret_scanner specialist's live_validate step distinguishes server-only vs public-prefix patterns.
Scan my repo for CVE-2024-XXXX →Securie scans every PR · free during early access