TLDR

We learned about a security vulnerability in Wasp auth related to our OAuth support.

This issue only affects users using Keycloak authentication with non-default case-sensitive IDs.

Every other configuration (Google, GitHub, Discord, or Keycloack with the default case-insensitive configuration) is not affected. Email and username auth providers are also not affected.

Users should upgrade to Wasp 0.16.6 which contains the fix ASAP.

Timeline

• May 23rd: Received report
  • Original email
• May 26th: Confirmed the vulnerability
• June 4th: Prepared the fix
• June 4th: Drafted a Github Security Advisory and requested a CVE
• June 4th: Notified most likely affected users on Discord privately
• June 9th: Released Wasp version 0.16.6 with the fix
• June 9th: Published the Github Security Advisory (CVE-2025-49006)
• June 9th: Notified users on Discord publicly

Description

Wasp has a concept of a ProviderId which contains the provider name and the provider specific ID.

For example it can be:

• (email ,[email protected]) for Email auth
• (google ,10769150350006150715113082367) for Google auth

Wasp takes the provider specific ID (the the second part), turns it into a string and lowercases it to keep the IDs normalised.