CVE-2025-49006

Wasp (Web Application Specification) is a Rails-like framework for React, Node.js, and Prisma. Prior to version 0.16.6, Wasp authentication has a vulnerability in the OAuth authentication implementation (affecting only Keycloak with a specific config). Wasp currently lowercases OAuth user IDs before storing / fetching them. This behavior violates OAuth and OpenID Connect specifications and can result in user impersonation, account collisions, and privilege escalation. In practice, out of the OAuth providers that Wasp auth supports, only Keycloak is affected. Keycloak uses a lowercase UUID by default, but users can configure it to be case sensitive, making it affected. Google, GitHub, and Discord use numerical IDs, making them not affected. Users should update their Wasp version to `0.16.6` which has a fix for the problematic behavior. Users using Keycloak can work around the issue by not using a case sensitive user ID in their realm configuration.

CVSS

No CVSS.

References

Link	Resource
https://github.com/wasp-lang/wasp/commit/433b9b7f491c172db656fb94cc85e5bd7d614b74
https://github.com/wasp-lang/wasp/security/advisories/GHSA-qvjc-6xv7-6v5f
https://wasp-lang.notion.site/PUB-Case-insensitive-OAuth-ID-vulnerability-20018a74854c8064a2bfebe4eaf5fceb

Configurations

No configuration.

History

12 Jun 2025, 16:06

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-09 13:15

Updated : 2025-06-12 16:06

NVD link : CVE-2025-49006

Mitre link : CVE-2025-49006

CVE.ORG link : CVE-2025-49006

JSON object : View

Products Affected

No product.

CWE

CWE-276

Incorrect Default Permissions

{"id": "CVE-2025-49006", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-09T13:15:23.650", "references": [{"url": "https://github.com/wasp-lang/wasp/commit/433b9b7f491c172db656fb94cc85e5bd7d614b74", "source": "security-advisories@github.com"}, {"url": "https://github.com/wasp-lang/wasp/security/advisories/GHSA-qvjc-6xv7-6v5f", "source": "security-advisories@github.com"}, {"url": "https://wasp-lang.notion.site/PUB-Case-insensitive-OAuth-ID-vulnerability-20018a74854c8064a2bfebe4eaf5fceb", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-276"}]}], "descriptions": [{"lang": "en", "value": "Wasp (Web Application Specification) is a Rails-like framework for React, Node.js, and Prisma. Prior to version 0.16.6, Wasp authentication has a vulnerability in the OAuth authentication implementation (affecting only Keycloak with a specific config). Wasp currently lowercases OAuth user IDs before storing / fetching them. This behavior violates OAuth and OpenID Connect specifications and can result in user impersonation, account collisions, and privilege escalation. In practice, out of the OAuth providers that Wasp auth supports, only Keycloak is affected. Keycloak uses a lowercase UUID by default, but users can configure it to be case sensitive, making it affected. Google, GitHub, and Discord use numerical IDs, making them not affected. Users should update their Wasp version to `0.16.6` which has a fix for the problematic behavior. Users using Keycloak can work around the issue by not using a case sensitive user ID in their realm configuration."}, {"lang": "es", "value": "Wasp (Especificaci\u00f3n de Aplicaci\u00f3n Web) es un framework similar a Rails para React, Node.js y Prisma. Antes de la versi\u00f3n 0.16.6, la autenticaci\u00f3n de Wasp presentaba una vulnerabilidad en la implementaci\u00f3n de la autenticaci\u00f3n OAuth (que solo afectaba a Keycloak con una configuraci\u00f3n espec\u00edfica). Wasp actualmente convierte los ID de usuario de OAuth en min\u00fasculas antes de almacenarlos u obtenerlos. Este comportamiento infringe las especificaciones de OAuth y OpenID Connect y puede provocar suplantaci\u00f3n de identidad, conflictos de cuentas y escalada de privilegios. En la pr\u00e1ctica, de los proveedores de OAuth compatibles con la autenticaci\u00f3n de Wasp, solo Keycloak se ve afectado. Keycloak usa un UUID en min\u00fasculas por defecto, pero los usuarios pueden configurarlo para que distinga entre may\u00fasculas y min\u00fasculas, lo que lo hace afectado. Google, GitHub y Discord usan ID num\u00e9ricos, lo que los protege. Los usuarios deben actualizar su versi\u00f3n de Wasp a la 0.16.6, que incluye una soluci\u00f3n para el comportamiento problem\u00e1tico. Los usuarios que usan Keycloak pueden solucionar el problema no usando un ID de usuario que distinga entre may\u00fasculas y min\u00fasculas en la configuraci\u00f3n de su dominio."}], "lastModified": "2025-06-12T16:06:47.857", "sourceIdentifier": "security-advisories@github.com"}