PT-2025-24435 · Keycloak+4 · Keycloak+4
Scorpil
·
Published
2025-06-09
·
Updated
2025-06-09
·
CVE-2025-49006
CVSS v4.0
8.2
High
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Wasp versions prior to 0.16.6
Description
The issue concerns the implementation of OAuth authentication in Wasp, specifically affecting Keycloak with a particular configuration. Wasp's behavior of lowercasing OAuth user IDs before storing or fetching them violates OAuth and OpenID Connect specifications. This can lead to user impersonation, account collisions, and privilege escalation. Keycloak is affected when configured to be case-sensitive, while Google, GitHub, and Discord are not affected due to their use of numerical IDs.
Recommendations
For versions prior to 0.16.6, update to version 0.16.6 to resolve the issue.
For users of Keycloak, as a temporary workaround, consider not using a case-sensitive user ID in the realm configuration to minimize the risk of exploitation.
Exploit
Fix
LPE
Incorrect Default Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Discord
Github
Google
Keycloak
Wasp