An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6.
The vulnerability consists of improper resource access using incompatible data types (type confusion). An attacker can provide specially crafted input data that the library will process using the wrong type, leading to unintended application behavior. The attack vector is network-based, does not require authentication or user interaction, which makes it particularly dangerous.
Successful exploitation of the vulnerability may allow an attacker to gain unauthorized access to sensitive data, modify application data or resources, and disrupt its operation — which corresponds to C:H/I:H/A:H ratings on the CVSS scale.
Patches available from the manufacturer should be applied in accordance with the references. It is recommended to monitor the project repository (https://github.com/transloadit/uppy) for information about available patches and to update the library to a version without the vulnerability as soon as possible.
transloadit uppy library version 0.25.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H