CVE-2025-49006 is a high-severity vulnerability affecting the Wasp framework (version prior to 0.16.6), a Rails-like development framework for React, Node.js, and Prisma. The vulnerability arises from incorrect handling of OAuth user IDs during authentication, specifically with the Keycloak OAuth provider when configured to use case-sensitive user IDs. Wasp's authentication implementation lowercases OAuth user IDs before storing or fetching them, which violates OAuth and OpenID Connect specifications that treat user IDs as case-sensitive. This behavior can lead to user impersonation, account collisions, and privilege escalation because different users with IDs differing only in case may be treated as the same user. While Wasp supports multiple OAuth providers, only Keycloak is affected due to its default use of lowercase UUIDs and configurable case sensitivity. Other providers like Google, GitHub, and Discord use numerical IDs and are not impacted. The vulnerability does not require user interaction and can be exploited remotely without authentication, increasing its risk. The issue is classified under CWE-276 (Incorrect Default Permissions), indicating a misconfiguration or improper handling of security controls. The vulnerability has a CVSS 4.0 score of 8.2 (high severity), reflecting its potential for significant impact on confidentiality and integrity. The fix is available in Wasp version 0.16.6, which corrects the user ID handling to comply with OAuth standards. Additionally, Keycloak users can mitigate the risk by configuring their realms to avoid case-sensitive user IDs until they can upgrade Wasp. No known exploits are currently reported in the wild, but the vulnerability's nature suggests it could be targeted for privilege escalation and impersonation attacks in affected environments.

For European organizations using the Wasp framework with Keycloak as their OAuth provider, this vulnerability poses a serious risk. Exploitation could allow attackers to impersonate legitimate users, potentially gaining unauthorized access to sensitive data and systems. This could lead to data breaches, unauthorized transactions, and disruption of services. The impact on confidentiality is high due to possible exposure of user data and session hijacking. Integrity is also at risk because attackers could escalate privileges and perform unauthorized actions under another user's identity. Availability impact is limited but could occur if attackers disrupt authentication processes. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, could face regulatory penalties under GDPR if this vulnerability leads to data compromise. The fact that exploitation requires no user interaction and no prior authentication increases the threat level, making it easier for attackers to target vulnerable deployments. Since Wasp is a framework used to build web applications, the scope of affected systems depends on the adoption of Wasp and Keycloak in the organization's technology stack. However, any web application relying on this combination is at risk until patched.

1. Immediate upgrade of the Wasp framework to version 0.16.6 or later to apply the official fix that corrects OAuth user ID handling. 2. For organizations unable to upgrade immediately, reconfigure Keycloak realms to use case-insensitive user IDs or avoid case-sensitive UUIDs to prevent collisions and impersonation. 3. Conduct an audit of all applications using Wasp with Keycloak to identify affected instances and prioritize patching. 4. Implement strict monitoring and logging of authentication events to detect unusual login patterns or potential impersonation attempts. 5. Enforce multi-factor authentication (MFA) on critical applications to reduce the risk of unauthorized access even if impersonation occurs. 6. Review and tighten access controls and permissions within applications to limit the impact of potential privilege escalation. 7. Educate development and security teams about the importance of adhering to OAuth and OpenID Connect specifications to prevent similar issues in custom implementations. 8. Regularly update and patch all components of the authentication stack, including OAuth providers and frameworks, to minimize exposure to known vulnerabilities.