CVE-2025-49006: CWE-276: Incorrect Default Permissions in wasp-lang wasp
Wasp (Web Application Specification) is a Rails-like framework for React, Node.js, and Prisma. Prior to version 0.16.6, Wasp authentication has a vulnerability in the OAuth authentication implementation (affecting only Keycloak with a specific config). Wasp currently lowercases OAuth user IDs before storing / fetching them. This behavior violates OAuth and OpenID Connect specifications and can result in user impersonation, account collisions, and privilege escalation. In practice, out of the OAuth providers that Wasp auth supports, only Keycloak is affected. Keycloak uses a lowercase UUID by default, but users can configure it to be case sensitive, making it affected. Google, GitHub, and Discord use numerical IDs, making them not affected. Users should update their Wasp version to `0.16.6` which has a fix for the problematic behavior. Users using Keycloak can work around the issue by not using a case sensitive user ID in their realm configuration.
AI Analysis
Technical Summary
CVE-2025-49006 is a high-severity vulnerability affecting the Wasp framework (version prior to 0.16.6), a Rails-like development framework for React, Node.js, and Prisma. The vulnerability arises from incorrect handling of OAuth user IDs during authentication, specifically with the Keycloak OAuth provider when configured to use case-sensitive user IDs. Wasp's authentication implementation lowercases OAuth user IDs before storing or fetching them, which violates OAuth and OpenID Connect specifications that treat user IDs as case-sensitive. This behavior can lead to user impersonation, account collisions, and privilege escalation because different users with IDs differing only in case may be treated as the same user. While Wasp supports multiple OAuth providers, only Keycloak is affected due to its default use of lowercase UUIDs and configurable case sensitivity. Other providers like Google, GitHub, and Discord use numerical IDs and are not impacted. The vulnerability does not require user interaction and can be exploited remotely without authentication, increasing its risk. The issue is classified under CWE-276 (Incorrect Default Permissions), indicating a misconfiguration or improper handling of security controls. The vulnerability has a CVSS 4.0 score of 8.2 (high severity), reflecting its potential for significant impact on confidentiality and integrity. The fix is available in Wasp version 0.16.6, which corrects the user ID handling to comply with OAuth standards. Additionally, Keycloak users can mitigate the risk by configuring their realms to avoid case-sensitive user IDs until they can upgrade Wasp. No known exploits are currently reported in the wild, but the vulnerability's nature suggests it could be targeted for privilege escalation and impersonation attacks in affected environments.
Potential Impact
For European organizations using the Wasp framework with Keycloak as their OAuth provider, this vulnerability poses a serious risk. Exploitation could allow attackers to impersonate legitimate users, potentially gaining unauthorized access to sensitive data and systems. This could lead to data breaches, unauthorized transactions, and disruption of services. The impact on confidentiality is high due to possible exposure of user data and session hijacking. Integrity is also at risk because attackers could escalate privileges and perform unauthorized actions under another user's identity. Availability impact is limited but could occur if attackers disrupt authentication processes. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, could face regulatory penalties under GDPR if this vulnerability leads to data compromise. The fact that exploitation requires no user interaction and no prior authentication increases the threat level, making it easier for attackers to target vulnerable deployments. Since Wasp is a framework used to build web applications, the scope of affected systems depends on the adoption of Wasp and Keycloak in the organization's technology stack. However, any web application relying on this combination is at risk until patched.
Mitigation Recommendations
1. Immediate upgrade of the Wasp framework to version 0.16.6 or later to apply the official fix that corrects OAuth user ID handling. 2. For organizations unable to upgrade immediately, reconfigure Keycloak realms to use case-insensitive user IDs or avoid case-sensitive UUIDs to prevent collisions and impersonation. 3. Conduct an audit of all applications using Wasp with Keycloak to identify affected instances and prioritize patching. 4. Implement strict monitoring and logging of authentication events to detect unusual login patterns or potential impersonation attempts. 5. Enforce multi-factor authentication (MFA) on critical applications to reduce the risk of unauthorized access even if impersonation occurs. 6. Review and tighten access controls and permissions within applications to limit the impact of potential privilege escalation. 7. Educate development and security teams about the importance of adhering to OAuth and OpenID Connect specifications to prevent similar issues in custom implementations. 8. Regularly update and patch all components of the authentication stack, including OAuth providers and frameworks, to minimize exposure to known vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Belgium, Italy, Spain
CVE-2025-49006: CWE-276: Incorrect Default Permissions in wasp-lang wasp
Description
Wasp (Web Application Specification) is a Rails-like framework for React, Node.js, and Prisma. Prior to version 0.16.6, Wasp authentication has a vulnerability in the OAuth authentication implementation (affecting only Keycloak with a specific config). Wasp currently lowercases OAuth user IDs before storing / fetching them. This behavior violates OAuth and OpenID Connect specifications and can result in user impersonation, account collisions, and privilege escalation. In practice, out of the OAuth providers that Wasp auth supports, only Keycloak is affected. Keycloak uses a lowercase UUID by default, but users can configure it to be case sensitive, making it affected. Google, GitHub, and Discord use numerical IDs, making them not affected. Users should update their Wasp version to `0.16.6` which has a fix for the problematic behavior. Users using Keycloak can work around the issue by not using a case sensitive user ID in their realm configuration.
AI-Powered Analysis
Technical Analysis
CVE-2025-49006 is a high-severity vulnerability affecting the Wasp framework (version prior to 0.16.6), a Rails-like development framework for React, Node.js, and Prisma. The vulnerability arises from incorrect handling of OAuth user IDs during authentication, specifically with the Keycloak OAuth provider when configured to use case-sensitive user IDs. Wasp's authentication implementation lowercases OAuth user IDs before storing or fetching them, which violates OAuth and OpenID Connect specifications that treat user IDs as case-sensitive. This behavior can lead to user impersonation, account collisions, and privilege escalation because different users with IDs differing only in case may be treated as the same user. While Wasp supports multiple OAuth providers, only Keycloak is affected due to its default use of lowercase UUIDs and configurable case sensitivity. Other providers like Google, GitHub, and Discord use numerical IDs and are not impacted. The vulnerability does not require user interaction and can be exploited remotely without authentication, increasing its risk. The issue is classified under CWE-276 (Incorrect Default Permissions), indicating a misconfiguration or improper handling of security controls. The vulnerability has a CVSS 4.0 score of 8.2 (high severity), reflecting its potential for significant impact on confidentiality and integrity. The fix is available in Wasp version 0.16.6, which corrects the user ID handling to comply with OAuth standards. Additionally, Keycloak users can mitigate the risk by configuring their realms to avoid case-sensitive user IDs until they can upgrade Wasp. No known exploits are currently reported in the wild, but the vulnerability's nature suggests it could be targeted for privilege escalation and impersonation attacks in affected environments.
Potential Impact
For European organizations using the Wasp framework with Keycloak as their OAuth provider, this vulnerability poses a serious risk. Exploitation could allow attackers to impersonate legitimate users, potentially gaining unauthorized access to sensitive data and systems. This could lead to data breaches, unauthorized transactions, and disruption of services. The impact on confidentiality is high due to possible exposure of user data and session hijacking. Integrity is also at risk because attackers could escalate privileges and perform unauthorized actions under another user's identity. Availability impact is limited but could occur if attackers disrupt authentication processes. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, could face regulatory penalties under GDPR if this vulnerability leads to data compromise. The fact that exploitation requires no user interaction and no prior authentication increases the threat level, making it easier for attackers to target vulnerable deployments. Since Wasp is a framework used to build web applications, the scope of affected systems depends on the adoption of Wasp and Keycloak in the organization's technology stack. However, any web application relying on this combination is at risk until patched.
Mitigation Recommendations
1. Immediate upgrade of the Wasp framework to version 0.16.6 or later to apply the official fix that corrects OAuth user ID handling. 2. For organizations unable to upgrade immediately, reconfigure Keycloak realms to use case-insensitive user IDs or avoid case-sensitive UUIDs to prevent collisions and impersonation. 3. Conduct an audit of all applications using Wasp with Keycloak to identify affected instances and prioritize patching. 4. Implement strict monitoring and logging of authentication events to detect unusual login patterns or potential impersonation attempts. 5. Enforce multi-factor authentication (MFA) on critical applications to reduce the risk of unauthorized access even if impersonation occurs. 6. Review and tighten access controls and permissions within applications to limit the impact of potential privilege escalation. 7. Educate development and security teams about the importance of adhering to OAuth and OpenID Connect specifications to prevent similar issues in custom implementations. 8. Regularly update and patch all components of the authentication stack, including OAuth providers and frameworks, to minimize exposure to known vulnerabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-05-29T16:34:07.175Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6846dc927b622a9fdf23bfd3
Added to database: 6/9/2025, 1:07:30 PM
Last enriched: 7/9/2025, 1:58:12 PM
Last updated: 8/18/2025, 12:46:09 PM
Views: 22
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.