←back to thread

Supabase MCP can leak your entire SQL database

(www.generalanalysis.com)
779 points rexpository | 1 comments | 08 Jul 25 17:46 UTC | HN request time: 0s | source
Show context
tptacek ◴[08 Jul 25 19:15 UTC] No.44503091[source]
This is just XSS mapped to LLMs. The problem, as is so often the case with admin apps (here "Cursor and the Supabase MCP" is an ad hoc admin app), is that they get a raw feed of untrusted user-generated content (they're internal scaffolding, after all).

In the classic admin app XSS, you file a support ticket with HTML and injected Javascript attributes. None of it renders in the customer-facing views, but the admin views are slapped together. An admin views the ticket (or even just a listing of all tickets) and now their session is owned up.

Here, just replace HTML with LLM instructions, the admin app with Cursor, the browser session with "access to the Supabase MCP".

replies(4): >>44503182 #>>44503194 #>>44503269 #>>44503304 #
otterley ◴[08 Jul 25 19:35 UTC] No.44503269[source]
Oh, Jesus H. Christ: https://github.com/supabase-community/supabase-mcp/blob/main...
replies(2): >>44503322 #>>44503344 #
tptacek ◴[08 Jul 25 19:41 UTC] No.44503322[source]
This to me is like going "Jesus H. Christ" at the prompt you get when you run the "sqlite3" command. It is also crazy to point that command at a production database and do random stuff with it. But not at all crazy to use it during development. I don't think this issue is as complicated, or as LLM-specific, as it seems; it's really just recapitulating security issues we understood pretty clearly back in 2010.

Actually, in my experience doing software security assessments on all kinds of random stuff, it's remarkable how often the "web security model" (by which I mean not so much "same origin" and all that stuff, but just the space of attacks and countermeasures) maps to other unrelated domains. We spent a lot of time working out that security model; it's probably our most advanced/sophisticated space of attack/defense research.

(That claim would make a lot of vuln researchers recoil, but reminds me of something Dan Bernstein once said on Usenet, about how mathematics is actually one of the easiest and most accessible sciences, but that ease allowed the state of the art to get pushed much further than other sciences. You might need to be in my head right now to see how this is all fitting together for me.)

replies(2): >>44503485 #>>44504552 #
ollien ◴[08 Jul 25 19:58 UTC] No.44503485[source]
> It is also crazy to point that command at a production database and do random stuff with it

In a REPL, the output is printed. In a LLM interface w/ MCP, the output is, for all intents and purposes, evaluated. These are pretty fundamentally different; you're not doing "random" stuff with a REPL, you're evaluating a command and _only_ printing the output. This would be like someone copying the output from their SQL query back into the prompt, which is of course a bad idea.

replies(1): >>44503532 #
tptacek ◴[08 Jul 25 20:02 UTC] No.44503532[source]
The output printing in a REPL is absolutely not a meaningful security boundary. Come on.
replies(1): >>44503602 #
ollien ◴[08 Jul 25 20:09 UTC] No.44503602[source]
I won't claim to be as well-versed as you are in security compliance -- in fact I will say I definitively am not. Why would you think that it isn't a meaningful difference here? I would never simply pipe sqlite3 output to `eval`, but that's effectively what the MCP tool output is doing.
replies(1): >>44503635 #
tptacek ◴[08 Jul 25 20:13 UTC] No.44503635{3}[source]
If you give a competent attacker a single input line on your REPL, you are never again going to see an output line that they don't want you to see.
replies(1): >>44503668 #
1. ollien ◴[08 Jul 25 20:17 UTC] No.44503668{4}[source]
We're agreeing, here. I'm in fact suggesting you _shouldn't_ use the output from your database as input.