CVE-2025-48757
170 production apps affected simultaneously by inverted access control.
“The code looked right. It ran fine. It just let in the wrong people.”
The Situation
Researchers discovered a systemic pattern in Lovable-generated projects: access control logic was being inverted. Not in one app — in 170 production applications at once.
What Happened
Authenticated users were being blocked from their own data. Unauthenticated users had full access to everything. The code was not obviously broken — it passed visual review and worked correctly in the happy path. A CVE was assigned. 170 live apps were affected.
What Would Have Caught It
End-to-end access control testing: log in as a real user, confirm you can see your data. Make a request without authentication, confirm you cannot. A test that would have failed immediately on every affected app.
The Lesson
“The code looked right. It ran fine. It just let in the wrong people.”
Don't ship without a review.
A Launchwright audit catches what the AI missed before your users do. Starting at $299.
Request an Audit →