SecureYourVibe Research

Vibe Coding Under Attack:
7 CVEs That Hit AI-Built Apps

These aren't theoretical risks. These are real vulnerabilities with real CVE numbers that affected millions of AI-built apps in 2025. Here's each one in plain English.

Why This Matters

A CVE (Common Vulnerabilities and Exposures) is an official ID assigned to a security vulnerability. When something gets a CVE number, it means the security community has confirmed it's real, rated how dangerous it is, and put it in a global database that every security tool on earth checks against.

In 2025, an unprecedented number of CVEs directly affected the tools and frameworks that vibe coders depend on. This isn't about hypothetical risks — these are documented exploits with proof-of-concept code and active exploitation in the wild.

Here are the seven that matter most.

CVE-2025-29927 CVSS 9.1

Next.js Middleware Auth Bypass

One HTTP header bypasses ALL your authentication.

Next.js is the most popular framework for vibe-coded apps. This vulnerability allowed anyone to bypass all middleware — including authentication — by adding a single header to their request:

x-middleware-subrequest: middleware

That's it. One header. Your login page, your admin dashboard, your API routes — all of them suddenly accessible to anyone who knows the trick. The header was meant for internal Next.js routing, but it was never restricted to internal use.

This affected Next.js versions 12 through 15. If your vibe-coded app uses Next.js middleware for auth (and many do — it's the pattern most AI tools generate), you were vulnerable.

Fix: Update Next.js immediately. 12.x → 12.3.5+, 13.x → 13.5.9+, 14.x → 14.2.25+, 15.x → 15.2.3+. SecureYourVibe now actively probes for this vulnerability.

CVE-2025-55182 CVSS 10.0

React2Shell: Remote Code Execution in React Server Components

A perfect 10 severity score. Pre-auth remote code execution.

React Server Components (RSC) — the new default in Next.js and other React frameworks — had a critical flaw. An attacker could craft a malicious request that executed arbitrary commands on your server without any authentication.

A CVSS score of 10.0 is the maximum possible severity. It means: no authentication required, full system compromise, trivially exploitable. This affected React 19.x apps using Server Components — which is exactly what most AI coding tools generate when you ask them to build a modern React app.

Fix: Update React to the latest patched version. If you're running React 19.x with Server Components, this is an emergency update.

CVE-2025-48757 CVSS 8.6

Lovable: Missing Supabase Row-Level Security

Any user could read any other user's data.

Apps generated by Lovable — one of the most popular AI coding platforms — shipped without Supabase Row-Level Security (RLS) enabled. This meant any authenticated user could query the database directly and access every other user's data.

Over 170 production apps were confirmed vulnerable. The issue was fundamental: Lovable's code generation templates simply didn't include RLS policies. Every app it built inherited the same flaw.

Fix: If you built with Lovable before the patch, manually enable RLS on every Supabase table and add appropriate policies. Check your Supabase dashboard → Authentication → Policies.

CVE-2025-43663 CVSS 8.1 CVE-2025-43861

Cursor IDE: SSRF + MCP Tool Injection

Your AI coding tool could be hijacked through its own features.

Two separate vulnerabilities in Cursor, the AI-powered IDE used by millions of developers:

CVE-2025-43663 (SSRF via Custom Docs): Cursor's "custom documentation" feature could be exploited to make the IDE send requests to internal servers on your network. An attacker who controls a docs URL you've added could pivot through Cursor to reach internal services.
CVE-2025-43861 (MCP Tool Injection): Cursor's MCP (Model Context Protocol) integration could be manipulated through prompt injection. A malicious MCP server could trick Cursor into executing unintended commands on your system.

These CVEs don't affect your deployed app — they affect your development environment. But if an attacker compromises your IDE, they can inject vulnerabilities into every app you build.

Fix: Update Cursor to the latest version. Review your MCP server connections and custom docs URLs. Only connect to trusted sources.

The Supply Chain Attacks

Not all threats come through your code. Some come through the packages your AI installs.

2.6B

Weekly downloads of targeted npm packages

20%

AI package recommendations that don't exist

245

Malicious npm packages discovered in one week

58%

AI-hallucinated packages persistently repeated

npm chalk-next / debug-js Supply Chain Attack

Attackers impersonated two of the most popular npm packages.

In September 2025, security researchers discovered malicious npm packages named chalk-next and debug-js — deliberately named to look like legitimate upgrades of chalk (50M weekly downloads) and debug (260M weekly downloads).

The malicious packages contained working code (copied from the originals) plus hidden payloads that exfiltrated environment variables, API keys, and authentication tokens from developers' machines and CI/CD pipelines.

AI coding tools are especially susceptible to this attack because they recommend packages by name — and a name like "chalk-next" sounds like a plausible upgrade to the AI.

Fix: Always verify package names before installing. Use npm audit regularly. Be suspicious of packages with names similar to popular libraries.

Slopsquatting: AI Hallucinated Package Names as Attack Vectors

Your AI recommends a package that doesn't exist. An attacker registers it with malware.

Researchers found that 20% of package recommendations from AI coding tools point to packages that don't actually exist. The AI hallucinated the names. Attackers figured this out and started registering these hallucinated names with malicious code.

The attack is insidious: the AI confidently recommends npm install some-package, the developer trusts it (the AI has been right about everything else), and they install malware. The study found that 58% of hallucinated package names were repeated consistently, making them predictable and weaponizable.

Fix: Before running npm install on any AI-recommended package, check that it exists on npmjs.com. Look at download counts, last publish date, and GitHub repo. If it looks brand new with almost no downloads, be suspicious.

Amazon Q VS Code Extension Compromise

Malicious AI extensions on the official VS Code marketplace.

Researchers discovered that attackers had published malicious extensions on the official VS Code Marketplace impersonating Amazon Q and other AI coding tools. These extensions had access to your code, your terminal, and your file system — the same permissions legitimate AI extensions need to function.

The extensions would intercept code suggestions, inject backdoors into generated code, and exfiltrate sensitive files from your workspace. Because they looked legitimate and were on the official marketplace, many developers installed them without question.

Fix: Only install extensions from verified publishers. Check the publisher's name carefully — look for subtle misspellings. Review extensions' permissions before installing.

What These CVEs Have in Common

Every vulnerability on this list shares a theme: the tools and frameworks that vibe coders trust the most had serious security flaws.

This isn't a criticism of vibe coding. These vulnerabilities affected all developers using these tools. But vibe coders are disproportionately impacted because:

They update less frequently. If you don't follow security advisories, you don't know there's a patch to install.
They rely on defaults. When the default is insecure (like Lovable's missing RLS), they ship insecure code without knowing it.
They trust AI package recommendations. A traditional developer might check if a package exists before installing it. An AI-assisted developer trusts the AI's suggestion.

The solution isn't to stop using AI tools. It's to verify what they produce — just like you'd test-drive a car before buying it, even if a trusted friend recommended it.

How SecureYourVibe Helps

We've added detection for several of these vulnerabilities to our scanner:

Vulnerability	Detection
CVE-2025-29927 (Next.js middleware bypass)	Active probe — we send the bypass header and check if auth is bypassed
CVE-2025-55182 (React2Shell)	Version detection — we flag vulnerable React 19.x versions
Exposed Supabase/Firebase credentials	Secret scanning — we check your client-side JS for database credentials
Unprotected AI proxy endpoints	Active probe — we test common AI API paths for unauthenticated access
Outdated frameworks with known CVEs	Version detection — we identify framework versions and flag known vulnerabilities

Are you running a vulnerable version?

SecureYourVibe checks for these CVEs automatically. Free scan, no signup, 30 seconds.

Scan My Site Free →