Description
An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6.
Published: 2026-04-14
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Potential denial of service and data integrity impact
Action: Patch Now
AI Analysis

Impact

The vulnerability arises from improper handling of resource types in Transloadit Uppy v0.25.6, causing a type mismatch that can lead to undefined behavior when the application processes mismatched data. This weakness is formally classified as CWE‑843, Access of Resource Using Incompatible Type. While the specific behavioral outcomes are not detailed in the advisory, type confusion can cause the application to crash, misinterpret data, or expose unexpected state, potentially disrupting service availability or compromising data integrity.

Affected Systems

Transloadit Uppy v0.25.6 is identified as affected. No other vendor or product information is currently listed for this vulnerability. The issue is specific to the Uppy component used by Transloadit for handling uploads.

Risk and Exploitability

The CVSS base score is 9.8, EPSS probability is less than 1%, and it is not listed in KEV. This high severity score indicates significant risk despite the low likelihood of exploitation. Because no official patch or workaround is cited in the provided references, an affected organization would need to rely on its own safeguards. The likely attack vector would involve an attacker interacting with the Uppy service—most plausibly by supplying a crafted upload or request that triggers the type mismatch. The absence of a listed exploit in KEV suggests no publicly known active exploit, but the undefined behavior inherent in this class of bug warrants caution.

Generated by OpenCVE AI on April 17, 2026 at 08:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Transloadit Uppy to a version that resolves the type‑mismatch issue if one is available.
  • Implement input validation on all uploads to ensure that only expected resource types are accepted before processing.
  • Configure application monitoring to detect unexpected crashes or abnormal request patterns that could indicate exploitation attempts.
  • Restrict access to the Uppy upload endpoint to trusted networks or users until a patch can be applied.

Generated by OpenCVE AI on April 17, 2026 at 08:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Title Incompatible Resource Type Handling in Transloadit Uppy v0.25.6

Thu, 16 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-843
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title Incompatible Resource Type Handling in Transloadit Uppy v0.25.6

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Transloadit
Transloadit uppy
Vendors & Products Transloadit
Transloadit uppy

Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6.
References

Subscriptions

Transloadit Uppy
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-16T12:06:09.148Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70023

cve-icon Vulnrichment

Updated: 2026-04-16T11:42:11.859Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T18:16:41.677

Modified: 2026-04-17T15:38:09.243

Link: CVE-2025-70023

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T08:30:13Z

Weaknesses