Wasp Framework Patches OAuth Flaw Allowing User Impersonation

The Wasp project, a full-stack web application framework for React, Node.js, and Prisma, has patched a critical authentication vulnerability affecting its OAuth implementation. Tracked as CVE-2025-49006, the flaw arises from Wasp’s mishandling of case sensitivity in OAuth user IDs—a misstep that violates industry standards and could lead to user impersonation, account collisions, and privilege escalation.

At the root cause of the vulnerability is how Wasp processes user identifiers from OAuth providers. The framework previously converted all user IDs to lowercase before storing and comparing them—a decision that seemed harmless for providers using numerical IDs, but proved dangerous in more flexible configurations.

“Wasp currently lowercases OAuth user IDs before storing / fetching them. This behavior violates OAuth and OpenID Connect specifications and can result in user impersonation, account collisions, and privilege escalation,” the advisory explains.

The OpenID Connect specification is unambiguous: the sub (subject) claim used as the user identifier must be treated as case-sensitive.

While most supported providers—like Google, GitHub, and Discord—use numeric identifiers and are unaffected, Wasp’s support for Keycloak introduced a serious vulnerability. Keycloak uses UUIDs that can be configured to be case-sensitive. In such environments, different users could be assigned IDs like abc and ABC, but Wasp would treat them as the same user.

“Users with IDs abc and ABC would be considered the same person even though that’s against the OAuth and OpenID Connect specifications,” the advisory warns.

This behavior can have results:

• Financial Exposure: “abc person adds his credit card → ABC gets access to his credit card.”
• Privilege Escalation: “admin person exists → ADMIN gets admin rights as well.”

The vulnerability stemmed from a function in Wasp’s SDK that forcibly normalized user IDs:

export function createProviderId(providerName: ProviderName, providerUserId: string): ProviderId {
  return {
    providerName,
    providerUserId: providerUserId.toLowerCase(), // <--- incorrect behaviour
  }
}

This logic, while acceptable for email addresses or usernames—which are often treated case-insensitively—violated core OAuth principles for provider-specific IDs.

The fix, released in Wasp version 0.16.6, ensures that only email and username identifiers are lowercased, while OAuth provider IDs retain their original casing:

“Wasp has released version 0.16.6 which includes a fix for the vulnerability – Wasp no longer lowercases user IDs received from the OAuth providers, only the email and username user IDs.”

Related Posts:

• Russian Hackers Abuse Microsoft 365 OAuth in Sophisticated Phishing Attacks
• Phishing for Profits: Attackers Mine Crypto & Spam Through OAuth Apps
• Cybercriminals Increasingly Target Google, Microsoft, and Amazon in Sophisticated Phishing Schemes
• Massive XSS Threat: Millions of Websites Vulnerable via OAuth Flaw
• CVE-2024-56529: mailcow Patches Session Fixation Vulnerability in Web Panel