Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Lifecycle Timeline
6DescriptionGitHub Advisory
Wasp (Web Application Specification) is a Rails-like framework for React, Node.js, and Prisma. Prior to version 0.16.6, Wasp authentication has a vulnerability in the OAuth authentication implementation (affecting only Keycloak with a specific config). Wasp currently lowercases OAuth user IDs before storing / fetching them. This behavior violates OAuth and OpenID Connect specifications and can result in user impersonation, account collisions, and privilege escalation. In practice, out of the OAuth providers that Wasp auth supports, only Keycloak is affected. Keycloak uses a lowercase UUID by default, but users can configure it to be case sensitive, making it affected. Google, GitHub, and Discord use numerical IDs, making them not affected. Users should update their Wasp version to 0.16.6 which has a fix for the problematic behavior. Users using Keycloak can work around the issue by not using a case sensitive user ID in their realm configuration.
AnalysisAI
Wasp framework versions prior to 0.16.6 contain a critical OAuth/OpenID Connect implementation flaw where user IDs are improperly lowercased before storage and authentication, violating specification requirements. This affects only Keycloak deployments configured with case-sensitive user IDs, enabling attackers to impersonate users, trigger account collisions, and escalate privileges. While the CVSS score of 8.2 reflects high integrity impact, real-world risk is constrained to Keycloak with specific non-default configuration, and no public exploit or KEV designation has been reported.
Technical ContextAI
The vulnerability exists in Wasp's OAuth authentication layer, which implements OpenID Connect provider integration for frameworks using React, Node.js, and Prisma. The root cause (CWE-276: Incorrect Default Permissions) manifests as improper handling of user identity claims during OAuth token exchange. Specifically, Wasp converts user IDs to lowercase during the authentication flow (lines handling user_id claims from OAuth providers) before persisting them to the Prisma ORM layer. OAuth 2.0 and OpenID Connect specifications (RFC 6749, OpenID Connect Core 1.0) treat user IDs as case-sensitive opaque strings; lowercasing violates this contract. Keycloak, by default, generates UUID-based user IDs in lowercase, rendering the flaw invisible unless administrators explicitly enable case-sensitive ID configuration in the realm settings. Competing providers (Google, GitHub, Discord) use purely numerical IDs, which are unaffected by case-folding operations. The vulnerability enables collision attacks where two distinct Keycloak users with IDs differing only in case (e.g., 'abcd-1234' vs 'ABCD-1234') would map to the same Wasp user account post-authentication.
RemediationAI
Primary remediation: Update Wasp to version 0.16.6 or later. The patch removes the lowercasing operation on OAuth user ID claims, preserving case sensitivity in alignment with OAuth/OpenID Connect specifications. For Wasp users unable to upgrade immediately: Workaround via Keycloak configuration—disable case-sensitive user IDs in the Keycloak realm settings, ensuring all user IDs are generated and stored in lowercase, thereby neutralizing the collision vector (this matches Keycloak's default behavior and is the recommended interim mitigation). Secondary mitigation: Conduct account audit on affected Wasp instances to identify any user accounts created from Keycloak with differing case variants; merge or isolate such accounts pending upgrade. Refer to Wasp GitHub releases (github.com/wasp-lang/wasp/releases/tag/0.16.6) for detailed patch notes and deployment instructions.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-276 – Incorrect Default Permissions
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17468