{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-70023", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-16T12:06:09.148Z", "dateReserved": "2026-01-09T00:00:00.000Z", "datePublished": "2026-04-14T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T17:09:50.429Z"}, "descriptions": [{"lang": "en", "value": "An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/transloadi"}, {"url": "https://github.com/transloadit/uppy"}, {"url": "https://gist.github.com/zcxlighthouse/27926a85371ac5d2291f44903254753e"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-843", "lang": "en", "description": "CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T11:42:16.171777Z", "id": "CVE-2025-70023", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:06:09.148Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-70023", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-16T11:42:16.171777Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-843", "description": "CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T11:42:11.859Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/transloadi"}, {"url": "https://github.com/transloadit/uppy"}, {"url": "https://gist.github.com/zcxlighthouse/27926a85371ac5d2291f44903254753e"}], "descriptions": [{"lang": "en", "value": "An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T17:09:50.429Z"}}}, "cveMetadata": {"cveId": "CVE-2025-70023", "state": "PUBLISHED", "dateUpdated": "2026-04-16T12:06:09.148Z", "dateReserved": "2026-01-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-14T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6."}], "id": "CVE-2025-70023", "lastModified": "2026-04-16T13:16:46.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-14T18:16:41.677", "references": [{"source": "cve@mitre.org", "url": "https://gist.github.com/zcxlighthouse/27926a85371ac5d2291f44903254753e"}, {"source": "cve@mitre.org", "url": "https://github.com/transloadi"}, {"source": "cve@mitre.org", "url": "https://github.com/transloadit/uppy"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-843"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.25.6"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "uppy", "vendor": "transloadit"}], "analysis": {"en": {"generated_at": "2026-04-17T08:27:56.701079+00:00", "value": {"mitigation_remediation": ["Upgrade Transloadit\u202fUppy to a version that resolves the type\u2011mismatch issue if one is available.", "Implement input validation on all uploads to ensure that only expected resource types are accepted before processing.", "Configure application monitoring to detect unexpected crashes or abnormal request patterns that could indicate exploitation attempts.", "Restrict access to the Uppy upload endpoint to trusted networks or users until a patch can be applied."], "summary": {"action": "Patch Now", "impact": "Potential denial of service and data integrity impact"}, "threat_synthesis": {"affected_systems": "Transloadit\u202fUppy\u202fv0.25.6 is identified as affected. No other vendor or product information is currently listed for this vulnerability. The issue is specific to the Uppy component used by Transloadit for handling uploads.", "description_and_impact": "The vulnerability arises from improper handling of resource types in Transloadit\u202fUppy\u202fv0.25.6, causing a type mismatch that can lead to undefined behavior when the application processes mismatched data. This weakness is formally classified as CWE\u2011843, Access of Resource Using Incompatible Type. While the specific behavioral outcomes are not detailed in the advisory, type confusion can cause the application to crash, misinterpret data, or expose unexpected state, potentially disrupting service availability or compromising data integrity.", "risk_and_exploitability": "The CVSS base score is 9.8, EPSS probability is less than 1%, and it is not listed in KEV. This high severity score indicates significant risk despite the low likelihood of exploitation. Because no official patch or workaround is cited in the provided references, an affected organization would need to rely on its own safeguards. The likely attack vector would involve an attacker interacting with the Uppy service\u2014most plausibly by supplying a crafted upload or request that triggers the type mismatch. The absence of a listed exploit in KEV suggests no publicly known active exploit, but the undefined behavior inherent in this class of bug warrants caution."}}}}, "created": "2026-04-15T14:41:09.665870+00:00", "updated": "2026-04-17T08:30:13.703351+00:00", "vendors": ["transloadit", "transloadit$PRODUCT$uppy"]}