Supabase MCP can leak your entire SQL database

(www.generalanalysis.com)

780 points rexpository | 1 comments | 08 Jul 25 17:46 UTC | HN request time: 0s | source

Show context

tptacek ◴[08 Jul 25 19:15 UTC] No.44503091[source]▶

This is just XSS mapped to LLMs. The problem, as is so often the case with admin apps (here "Cursor and the Supabase MCP" is an ad hoc admin app), is that they get a raw feed of untrusted user-generated content (they're internal scaffolding, after all).

In the classic admin app XSS, you file a support ticket with HTML and injected Javascript attributes. None of it renders in the customer-facing views, but the admin views are slapped together. An admin views the ticket (or even just a listing of all tickets) and now their session is owned up.

Here, just replace HTML with LLM instructions, the admin app with Cursor, the browser session with "access to the Supabase MCP".

replies(4): >>44503182 #>>44503194 #>>44503269 #>>44503304 #

otterley ◴[08 Jul 25 19:35 UTC] No.44503269[source]▶

>>44503091 #

Oh, Jesus H. Christ: https://github.com/supabase-community/supabase-mcp/blob/main...

replies(2): >>44503322 #>>44503344 #

noselasd ◴[08 Jul 25 19:43 UTC] No.44503344[source]▶

>>44503269 #

It's an MCP for your database, ofcourse it's going to execute SQL. It's your responsibility for who/what can access the MCP that you've pointed at your database.

replies(2): >>44503594 #>>44504647 #

1. minitech ◴[08 Jul 25 22:33 UTC] No.44504647[source]▶

>>44503344 #

I think you missed the second, much more horrifying part of the code at the link. The thing “stopping” the output from being treated as instructions appears to be a set of instructions.

(permalink: https://github.com/supabase-community/supabase-mcp/blob/2ef1...)

↑