Skip to main content

Node.js CVE-2025-49006

| EUVDEUVD-2025-17468 HIGH
Incorrect Default Permissions (CWE-276)
2025-06-09 security-advisories@github.com
8.2
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:43 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
0.16.6
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17468
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
CVE Published
Jun 09, 2025 - 13:15 nvd
HIGH 8.2

DescriptionGitHub Advisory

Wasp (Web Application Specification) is a Rails-like framework for React, Node.js, and Prisma. Prior to version 0.16.6, Wasp authentication has a vulnerability in the OAuth authentication implementation (affecting only Keycloak with a specific config). Wasp currently lowercases OAuth user IDs before storing / fetching them. This behavior violates OAuth and OpenID Connect specifications and can result in user impersonation, account collisions, and privilege escalation. In practice, out of the OAuth providers that Wasp auth supports, only Keycloak is affected. Keycloak uses a lowercase UUID by default, but users can configure it to be case sensitive, making it affected. Google, GitHub, and Discord use numerical IDs, making them not affected. Users should update their Wasp version to 0.16.6 which has a fix for the problematic behavior. Users using Keycloak can work around the issue by not using a case sensitive user ID in their realm configuration.

AnalysisAI

Wasp framework versions prior to 0.16.6 contain a critical OAuth/OpenID Connect implementation flaw where user IDs are improperly lowercased before storage and authentication, violating specification requirements. This affects only Keycloak deployments configured with case-sensitive user IDs, enabling attackers to impersonate users, trigger account collisions, and escalate privileges. While the CVSS score of 8.2 reflects high integrity impact, real-world risk is constrained to Keycloak with specific non-default configuration, and no public exploit or KEV designation has been reported.

Technical ContextAI

The vulnerability exists in Wasp's OAuth authentication layer, which implements OpenID Connect provider integration for frameworks using React, Node.js, and Prisma. The root cause (CWE-276: Incorrect Default Permissions) manifests as improper handling of user identity claims during OAuth token exchange. Specifically, Wasp converts user IDs to lowercase during the authentication flow (lines handling user_id claims from OAuth providers) before persisting them to the Prisma ORM layer. OAuth 2.0 and OpenID Connect specifications (RFC 6749, OpenID Connect Core 1.0) treat user IDs as case-sensitive opaque strings; lowercasing violates this contract. Keycloak, by default, generates UUID-based user IDs in lowercase, rendering the flaw invisible unless administrators explicitly enable case-sensitive ID configuration in the realm settings. Competing providers (Google, GitHub, Discord) use purely numerical IDs, which are unaffected by case-folding operations. The vulnerability enables collision attacks where two distinct Keycloak users with IDs differing only in case (e.g., 'abcd-1234' vs 'ABCD-1234') would map to the same Wasp user account post-authentication.

RemediationAI

Primary remediation: Update Wasp to version 0.16.6 or later. The patch removes the lowercasing operation on OAuth user ID claims, preserving case sensitivity in alignment with OAuth/OpenID Connect specifications. For Wasp users unable to upgrade immediately: Workaround via Keycloak configuration—disable case-sensitive user IDs in the Keycloak realm settings, ensuring all user IDs are generated and stored in lowercase, thereby neutralizing the collision vector (this matches Keycloak's default behavior and is the recommended interim mitigation). Secondary mitigation: Conduct account audit on affected Wasp instances to identify any user accounts created from Keycloak with differing case variants; merge or isolate such accounts pending upgrade. Refer to Wasp GitHub releases (github.com/wasp-lang/wasp/releases/tag/0.16.6) for detailed patch notes and deployment instructions.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2025-49006 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy