CVE-2025-27783

CRITICAL

Applio < 3.2.8-bugfix - Arbitrary File Write and Remote Code Execution via train.py

Title source: llm

Description

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file write in train.py. This issue may lead to writing arbitrary files on the Applio server. It can also be used in conjunction with an unsafe deserialization to achieve remote code execution. As of time of publication, no known patches are available.

References (4)

Core 4

Core References

Vendor Advisory x_refsource_confirm

https://securitylab.github.com/advisories/GHSL-2024-341_GHSL-2024-353_Applio/

Product x_refsource_misc

https://github.com/IAHispano/Applio/blob/29b4a00e4be209f9aac51cd9ccffcc632dfb2973/tabs/train/train.py#L212-L225

Product x_refsource_misc

https://github.com/IAHispano/Applio/blob/29b4a00e4be209f9aac51cd9ccffcc632dfb2973/tabs/train/train.py#L484-L491

View Writeup ZIP pw:eip

Product x_refsource_misc

https://github.com/IAHispano/Applio/blob/d7d685fefd0c58e29e1d84d668613056791544a7/tabs/inference/inference.py#L295

Scores

CVSS v3 9.8

EPSS 0.0100

EPSS Percentile 58.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (1)

applio/applio < 3.2.8-bugfix

Published Mar 19, 2025

Tracked Since Feb 18, 2026