CVE-2025-49006
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-09

Last updated on: 2025-06-12

Assigner: GitHub, Inc.

Description
Wasp (Web Application Specification) is a Rails-like framework for React, Node.js, and Prisma. Prior to version 0.16.6, Wasp authentication has a vulnerability in the OAuth authentication implementation (affecting only Keycloak with a specific config). Wasp currently lowercases OAuth user IDs before storing / fetching them. This behavior violates OAuth and OpenID Connect specifications and can result in user impersonation, account collisions, and privilege escalation. In practice, out of the OAuth providers that Wasp auth supports, only Keycloak is affected. Keycloak uses a lowercase UUID by default, but users can configure it to be case sensitive, making it affected. Google, GitHub, and Discord use numerical IDs, making them not affected. Users should update their Wasp version to `0.16.6` which has a fix for the problematic behavior. Users using Keycloak can work around the issue by not using a case sensitive user ID in their realm configuration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-09
Last Modified
2025-06-12
Generated
2026-05-07
AI Q&A
2025-06-09
EPSS Evaluated
2026-05-05
NVD
CVE-2025-49006
EUVD
EUVD-2025-17468
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-276 During installation, installed file permissions are set to allow anyone to modify those files.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Wasp authentication system prior to version 0.16.6, specifically in its OAuth implementation when used with Keycloak configured for case-sensitive user IDs. Wasp improperly lowercases OAuth user IDs before storing and retrieving them, which violates OAuth and OpenID Connect specifications. Because of this, user IDs that differ only by case (e.g., 'abc' vs. 'ABC') are treated as identical, leading to user impersonation, account collisions, and potential privilege escalation. Other OAuth providers like Google, GitHub, and Discord are not affected because they use numerical IDs. The issue is fixed in Wasp version 0.16.6. [1]


How can this vulnerability impact me? :

This vulnerability can allow an attacker to impersonate other users, cause account collisions where multiple distinct user accounts are treated as one, and escalate privileges within the application. This can lead to unauthorized access to user data and functionality, compromising the security and integrity of the affected system. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if your Wasp application version is prior to 0.16.6 and if it uses Keycloak with case-sensitive user IDs in its OAuth configuration. Specifically, you can verify the Wasp version by running a command like `wasp --version` or checking your package.json dependencies. To detect if the issue affects your system, inspect your Keycloak realm configuration to see if user IDs are case sensitive. There are no specific network or system commands provided to detect the vulnerability directly. Additionally, reviewing authentication logs for user ID collisions differing only by case may help identify exploitation attempts. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include updating your Wasp framework to version 0.16.6 or later, which contains the fix that stops lowercasing OAuth user IDs. If you are using Keycloak, configure your realm to avoid case-sensitive user IDs as a workaround until you can update Wasp. These steps prevent user impersonation, account collisions, and privilege escalation caused by the vulnerability. [1, 2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart