How to fix CVE-2025-49006?

Within 24 hours: Identify all Wasp deployments using Keycloak authentication and determine if case-sensitive user IDs are enabled in your Keycloak realm configuration. Within 7 days: Either upgrade Wasp to version 0.16.6 or, as a temporary workaround, reconfigure Keycloak to use case-insensitive user IDs. Within 30 days: Verify all Wasp instances are running version 0.16.6 or later and conduct user access reviews to detect any unauthorized account access or privilege changes that may have occurred.

Is Node.js affected by CVE-2025-49006?

A high-severity vulnerability in Wasp's OAuth authentication implementation could allow attackers to impersonate users and escalate privileges, but only affects organizations using Keycloak with case-sensitive user ID configuration.

CVE-2025-49006

EUVD-2025-17468 HIGH

2025-06-09 [email protected]

8.2

CVSS 4.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 19:21 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 19:21 euvd

EUVD-2025-17468

CVE Published

Jun 09, 2025 - 13:15 nvd

HIGH 8.2

Description

Wasp (Web Application Specification) is a Rails-like framework for React, Node.js, and Prisma. Prior to version 0.16.6, Wasp authentication has a vulnerability in the OAuth authentication implementation (affecting only Keycloak with a specific config). Wasp currently lowercases OAuth user IDs before storing / fetching them. This behavior violates OAuth and OpenID Connect specifications and can result in user impersonation, account collisions, and privilege escalation. In practice, out of the OAuth providers that Wasp auth supports, only Keycloak is affected. Keycloak uses a lowercase UUID by default, but users can configure it to be case sensitive, making it affected. Google, GitHub, and Discord use numerical IDs, making them not affected. Users should update their Wasp version to `0.16.6` which has a fix for the problematic behavior. Users using Keycloak can work around the issue by not using a case sensitive user ID in their realm configuration.

Analysis

Wasp framework versions prior to 0.16.6 contain a critical OAuth/OpenID Connect implementation flaw where user IDs are improperly lowercased before storage and authentication, violating specification requirements. This affects only Keycloak deployments configured with case-sensitive user IDs, enabling attackers to impersonate users, trigger account collisions, and escalate privileges. While the CVSS score of 8.2 reflects high integrity impact, real-world risk is constrained to Keycloak with specific non-default configuration, and no public exploit or KEV designation has been reported.

Technical Context

The vulnerability exists in Wasp's OAuth authentication layer, which implements OpenID Connect provider integration for frameworks using React, Node.js, and Prisma. The root cause (CWE-276: Incorrect Default Permissions) manifests as improper handling of user identity claims during OAuth token exchange. Specifically, Wasp converts user IDs to lowercase during the authentication flow (lines handling user_id claims from OAuth providers) before persisting them to the Prisma ORM layer. OAuth 2.0 and OpenID Connect specifications (RFC 6749, OpenID Connect Core 1.0) treat user IDs as case-sensitive opaque strings; lowercasing violates this contract. Keycloak, by default, generates UUID-based user IDs in lowercase, rendering the flaw invisible unless administrators explicitly enable case-sensitive ID configuration in the realm settings. Competing providers (Google, GitHub, Discord) use purely numerical IDs, which are unaffected by case-folding operations. The vulnerability enables collision attacks where two distinct Keycloak users with IDs differing only in case (e.g., 'abcd-1234' vs 'ABCD-1234') would map to the same Wasp user account post-authentication.

Affected Products

Wasp framework (all versions prior to 0.16.6). CPE designation: cpe:2.3:a:wasp:wasp:*:*:*:*:*:*:*:* (versions < 0.16.6). Affected configurations: Wasp deployments using Keycloak as an OAuth/OpenID Connect provider with case-sensitive user ID enabled in Keycloak realm settings. Not affected: Wasp with Google OAuth, GitHub OAuth, or Discord OAuth due to their numerical ID schemes. Not affected: Keycloak deployments with default lowercase UUID configuration (the typical deployment scenario).

Remediation

Primary remediation: Update Wasp to version 0.16.6 or later. The patch removes the lowercasing operation on OAuth user ID claims, preserving case sensitivity in alignment with OAuth/OpenID Connect specifications. For Wasp users unable to upgrade immediately: Workaround via Keycloak configuration—disable case-sensitive user IDs in the Keycloak realm settings, ensuring all user IDs are generated and stored in lowercase, thereby neutralizing the collision vector (this matches Keycloak's default behavior and is the recommended interim mitigation). Secondary mitigation: Conduct account audit on affected Wasp instances to identify any user accounts created from Keycloak with differing case variants; merge or isolate such accounts pending upgrade. Refer to Wasp GitHub releases (github.com/wasp-lang/wasp/releases/tag/0.16.6) for detailed patch notes and deployment instructions.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +41

POC: 0

CVE-2025-49006 vulnerability details – vuln.today

Back

CVE-2025-49006

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-49006

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code