CVE-2025-27784
Published: 19 March 2025
Summary
CVE-2025-27784 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Applio Applio. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the arbitrary file read flaw in train.py's export_pth function to eliminate the vulnerability.
Implements input validation and error handling at entry points to block path traversal or improper parameters enabling arbitrary file reads via export_pth.
Monitors the system specifically for unauthorized information disclosures, identifying exploitation of the arbitrary file read vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file read in public-facing app enables remote exploitation (T1190), direct local file access (T1005), and extraction of credentials from files (T1552.001).
NVD Description
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file read in train.py's `export_pth` function. This issue may lead to reading arbitrary files on the Applio server. It can also be used in conjunction with…
more
blind server-side request forgery to read files from servers on the internal network that the Applio server has access to. As of time of publication, no known patches are available.
Deeper analysisAI
CVE-2025-27784 is an arbitrary file read vulnerability in Applio, an open-source voice conversion tool. It affects versions 3.2.8-bugfix and prior, stemming from improper handling in the `export_pth` function within the train.py module. The flaw, associated with CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and no requirements for privileges or user interaction.
Remote attackers can exploit this vulnerability without authentication by triggering the flawed export function, enabling them to read arbitrary files on the Applio server. When combined with blind server-side request forgery, it allows extraction of files from internal network servers that the Applio instance can access, potentially exposing sensitive configuration, credentials, or other data.
The GitHub Security Lab advisory (GHSL-2024-341 and GHSL-2024-353) details the issue with references to specific code lines in train.py but notes no patches are available as of the CVE's publication on 2025-03-19. Security practitioners should monitor the Applio repository for updates and consider network segmentation or disabling the affected train functionality until remediation.
Details
- CWE(s)