Access of Resource Using Incompatible Type ('Type Confusion') Affecting py3.14-uv-build-bin package, versions <0.11.0-r0


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.44% (36th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-PY314UVBUILDBIN-15286035
  • published17 Feb 2026
  • disclosed4 Feb 2026

Introduced: 4 Feb 2026

CVE-2026-25537  (opens in a new tab)
CWE-843  (opens in a new tab)

How to fix?

Upgrade Minimos:latest py3.14-uv-build-bin to version 0.11.0-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream py3.14-uv-build-bin package and not the py3.14-uv-build-bin package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library’s internal parsing mechanism marks the claim as “FailedToParse”. Crucially, the validation logic treats this “FailedToParse” state identically to “NotPresent”. This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like “Not Before” checks) and commit potential authentication and authorization bypasses. This issue has been patched in version 10.3.0.

CVSS Base Scores

version 3.1