CVE-2025-27782

CRITICAL

Applio < 3.2.8-bugfix - Arbitrary File Write and Remote Code Execution via inference.py

Title source: llm

Description

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file write in inference.py. This issue may lead to writing arbitrary files on the Applio server. It can also be used in conjunction with an unsafe deserialization to achieve remote code execution. As of time of publication, no known patches are available.

References (5)

Core 5

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://securitylab.github.com/advisories/GHSL-2024-341_GHSL-2024-353_Applio/

Product x_refsource_misc

https://github.com/IAHispano/Applio/blob/d7d685fefd0c58e29e1d84d668613056791544a7/tabs/inference/inference.py#L1632-L1645

Product x_refsource_misc

https://github.com/IAHispano/Applio/blob/d7d685fefd0c58e29e1d84d668613056791544a7/tabs/inference/inference.py#L295

Product x_refsource_misc

https://github.com/IAHispano/Applio/blob/d7d685fefd0c58e29e1d84d668613056791544a7/tabs/inference/inference.py#L989-L1002

Product x_refsource_misc

https://github.com/IAHispano/Applio/blob/d7d685fefd0c58e29e1d84d668613056791544a7/tabs/tts/tts.py#L309-L322

View Writeup ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0130

EPSS Percentile 66.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (1)

applio/applio < 3.2.8-bugfix

Published Mar 19, 2025

Tracked Since Feb 18, 2026