TLDR

We learned about a security vulnerability in Wasp auth related to one of our OAuth providers - Keycloak.

This doesn’t affect users using Google, Github or Discord OAuth providers.

The vulnerability affects users using Keycloak with a custom config that makes the Keycloak provided user IDs case sensitive. Users using the default ID logic with case insensitive UUIDs are not affected.

Users should upgrade to Wasp 0.16.6 which contains the fix ASAP.

Timeline

• May 23rd: Received report
  • Original email
• May 26th: Confirmed the vulnerability
• June 4th: Prepared the fix
• June 4th: Drafted a Github Security Advisory and requested a CVE
• June 4th: Notified most likely affected users on Discord privately
• June 9th: Released Wasp version 0.16.6 with the fix
• June 9th: Published the Github Security Advisory (CVE-2025-49006)
• June 9th: Notified users on Discord publicly

Description

Wasp has a concept of a ProviderId which contains the provider name and the provider specific ID.

For example it can be:

• (email ,[email protected]) for Email auth
• (google ,10769150350006150715113082367) for Google auth

Wasp takes the provider specific ID (the the second part), turns it into a string and lowercases it to keep the IDs normalised.