CVE-2025-27785
Published: 19 March 2025
Summary
CVE-2025-27785 is a high-severity Path Traversal (CWE-22) vulnerability in Applio Applio. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents path traversal in the export_index function by validating inputs to block arbitrary file path manipulation.
Restricts unauthenticated network access to the Applio server, blocking remote exploitation of the vulnerability over the network.
Limits the Applio process privileges to restrict access to sensitive files, reducing the impact of successful arbitrary file reads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an unauthenticated arbitrary file read (path traversal) in a publicly accessible web application, directly enabling T1190 (exploitation of public-facing apps) and T1005 (collection of data from local system files including sensitive configs/credentials).
NVD Description
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file read in train.py's `export_index` function. This issue may lead to reading arbitrary files on the Applio server. It can also be used in conjunction with…
more
blind server-side request forgery to read files from servers on the internal network that the Applio server has access to. As of time of publication, no known patches are available.
Deeper analysisAI
CVE-2025-27785 is an arbitrary file read vulnerability affecting Applio, an open-source voice conversion tool, in versions 3.2.8-bugfix and prior. The flaw resides in the `export_index` function within the `train.py` module, enabling attackers to read arbitrary files on the Applio server. It is classified under CWE-22 (Path Traversal) and CWE-200 (Exposure of Sensitive Information), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact from network access without authentication.
Any unauthenticated attacker with network access to an affected Applio instance can exploit this vulnerability by manipulating inputs to the `export_index` function, resulting in the disclosure of sensitive files on the server. Exploitation can be chained with blind server-side request forgery (SSRF) to access files on internal network servers reachable by the Applio instance, potentially exposing configuration data, credentials, or other restricted resources.
The GitHub Security Lab advisory (GHSL-2024-341 and GHSL-2024-353) details the vulnerability with references to specific lines in `train.py` (L273 and L816). As of the CVE publication on 2025-03-19, no patches or mitigations are available for Applio. Security practitioners should isolate Applio instances from untrusted networks, monitor for anomalous file access attempts, and consider custom input validation until upstream fixes are released.
Details
- CWE(s)