Covered by FixVibehigh

ZXCVVAKATAWASEWASEGI0. Seguridad de la seguridad de nivel de fila (ZXCV) Bypasses ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE1 Vulica na sala mo taqomaka kina na nomu kerekere ni Next.js kei na Supabase ena kena vakarautaki vakavinaka na veitaqomaki ni ivakatagedegede ni laini (RLS) kei na kasitama ni veiqaravi-yasana. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE2. Na veiqaravi e tara vata kei na RLS kei na Supabase e dau vakararavi ki na veitaqomaki ni ivakatagedegede ni laini (ZXCVFIXVIBETOKEN3ZXCV) me taqomaki na itukutuku. Na sega ni rawa ni ZXCVFIXVIBETOKEN4ZXCV se cala na kena vakarautaki na kasitama ni Next.js e rawa ni vakavuna na vakaraitaki taucoko ni itukutuku, ka vakatara na vakayagataki sega ni vakadonui me ra wilika se veisautaka na itukutuku bibi. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE3. ## Veivakaleqai ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE4. E rawa ni ra bypass na dauvakacaca na logic ni kerekere me ra wilika, vakavoutaka, se bokoca na itukutuku ena itukutuku kevaka e sega ni vakayacori vakavinaka na veitaqomaki ni ivakatagedegede ni laini (Next.js). Oqo e dau vakavuna na kena vakaraitaki na itukutuku ni tamata yadua (PII) se itukutuku ni kerekere bibi vei ira na vakayagataka ka ra rawata ga na ki ni RLS sega ni kilai raraba. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEGA5. ## Vuna ZXCVVAKATAWASEWASEI ZXCVVAKAVUVULI6. RLS vakayagataka na Postgres laini ni ivakatagedegede ni veitaqomaki me qarava na itukutuku ni rawa-ka ena ivakatagedegede ni itukutuku, ka sa yavutaki me baleta na taqomaki ni itukutuku Supabase. Ena dua na vanua ni ZXCVFIXVIBETOKEN4ZXCV, e dodonu me ra bulia na dauvakatorocaketaka e dua na kasitama ni ZXCVFIXVIBETOKEN3ZXCV ka vakadodonutaka na bisikete kamikamica kei na soqoni me maroroi kina na veitaqomaki ena gauna ni veiqaravi-yasana ni vakadewataki Next.js. Na malumalumu e dau basika ena gauna: ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE77. 1. Na teveli e buli ka sega ni vakatarai na Next.js, ka vakavuna me ra rawata ena ki ni anon raraba Supabase. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEG8. 2. Na kasitama ni Next.js e cala ena RLS, sega ni rawa ni vakadewataka vakavinaka na ivakatakilakila ni veivakadeitaki ni vakayagataki ki na itukutuku ni Supabase. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE9. 3. Era dau vakayagataka vakacalaka na dauvakatorocaketaki na ki ni ZXCV ena yasa ni kasitama, ka dau vakawalena na lawatu kece ni RLS. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI10 ## Vakavinakataki ni simede ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI11 1. Vakatara na RLS: Vakadeitaka ni sa vakatarai na veitaqomaki ni ivakatagedegede ni laini me baleta na teveli yadua ena nomu itukutuku ni Supabase. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI12 2. Vakamacalataka na lawatu: Cakava na lawatu ni Postgres vakatabakidua me baleta na Supabase, Next.js, RLS, kei na ZXCVFIXVIBETOKEN3ZXCV cakacaka me vakatabui kina na rawa-ka e yavutaki ena ZBEXVIXCVID ni vakayagataki. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI13 3. Vakayagataka na SSR na kasitama: Vakayacora na pakete ni Supabase me buli kina na kasitama ena RLS ka vakadodonutaka na veivakadeitaki ni veiqaravi-yasana kei na gugumatua ni soqoni Next.js. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI14 ## Na sala e vakatovolei kina ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI15 Sa kovuta oqo ena vakayagataki-app kei na jeke ni repo. Na ivakarau ni Supabase sega ni vakayagataki e kunea na URL ni ZXCVFIXVIBETOKEN4ZXCV kei na veiwatini sega ni ki mai na isoqoni ni JavaScript vata ga, kerea na PostgREST me baleta na metadata ni teveli raraba, ka vakayacora na digidigi vakaiyalayala ni wiliwili me vakadeitaka na itukutuku ni kasitama sega ni kilai. Repo vakadidike talega e cici Next.js me vakaraitaka na SQL migrations ka bulia na teveli raraba ka sega na RLS, kei na vakadidike vuni vakasaqara na veiqaravi-itavi ki ni vakaraitaki ni bera ni yaco ki na barausa.

Applications built with Next.js and Supabase often rely on Row Level Security (RLS) to protect data. Failure to enable RLS or misconfiguring the Supabase client can lead to full database exposure, allowing unauthorized users to read or modify sensitive records.

CWE-284

Impact

Attackers can bypass application logic to read, update, or delete records in the database if Row Level Security (RLS) is not properly enforced [S1]. This often results in the exposure of Personally Identifiable Information (PII) or sensitive application data to users who only have access to the public anonymous API key.

Root Cause

Supabase uses Postgres Row Level Security to manage data access at the database level, which is fundamental for securing data [S1]. In a Next.js environment, developers must create a Supabase client that correctly handles cookies and sessions to maintain security during server-side rendering [S2]. Vulnerabilities typically arise when:

Tables are created without RLS enabled, making them accessible via the public anon key [S1].
The Supabase client is misconfigured in Next.js, failing to properly pass user authentication tokens to the database [S2].
Developers accidentally use the service_role key in client-side code, which bypasses all RLS policies [S1].

Concrete Fixes

Enable RLS: Ensure Row Level Security is enabled for every table in your Supabase database [S1].
Define Policies: Create specific Postgres policies for SELECT, INSERT, UPDATE, and DELETE operations to restrict access based on the user's UID [S1].
Use SSR Clients: Implement the @supabase/ssr package to create clients in Next.js that correctly manage server-side authentication and session persistence [S2].

How FixVibe tests for it

FixVibe already covers this through deployed-app and repo checks. The passive baas.supabase-rls module discovers Supabase URL and anon-key pairs from same-origin JavaScript bundles, asks PostgREST for public table metadata, and performs limited read-only selects to confirm anonymous data exposure without mutating customer data. Repo scans also run repo.supabase.missing-rls to flag SQL migrations that create public tables without ENABLE ROW LEVEL SECURITY, and secret scans look for service-role key exposure before it reaches the browser.