Static Analysis of 48 AI-Generated Apps: 90% Had Security Vulnerabilities

A developer recently shared results from running static analysis on 48 public GitHub repos built with Lovable, Bolt, or Replit. The findings: 90% had at least one security vulnerability. The breakdown of issues:

• 44% — authentication gaps: routes unprotected despite a login system
• 33% — Postgres functions marked SECURITY DEFINER, bypassing row-level security
• 25% — BOLA/IDOR: missing ownership checks in database queries
• 25% — committed .env or config files

The auth gap is instructive: AI tools generate working login flows (registration, email verification, sessions, password reset) but often fail to protect individual API routes or pages. The prompt was "build a dashboard with auth" — the LLM built both, but didn't implicitly verify every route is behind a guard. The pattern is systematic, not random.

SECURITY DEFINER is the hidden one: AI tools generate these to resolve permission errors locally. The function runs as DB superuser, bypassing all RLS policies. The app works perfectly locally but is exploitable in production — no error or warning.

The author notes this isn't a Claude-specific problem; it's a constraint of LLMs generating code from "write me a working app" prompts without adversarial thinking.