CVE-2025-27786
Published: 19 March 2025
Summary
CVE-2025-27786 is a critical-severity Path Traversal (CWE-22) vulnerability in Applio Applio. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents path traversal exploits by requiring validation of arbitrary user inputs like output_tts_path before passing to file removal functions in core.py.
Mitigates impact of arbitrary file deletion by enforcing least privilege on the application process, limiting permissions to delete sensitive or system files.
Addresses the root cause vulnerability through timely flaw remediation, including patching the insecure path handling in tts.py and core.py.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated path traversal in public-facing TTS functionality directly enables exploitation of public-facing apps (T1190) and arbitrary file deletion (T1070.004).
NVD Description
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file removal in core.py. `output_tts_path` in tts.py takes arbitrary user input and passes it to `run_tts_script` function in core.py, which checks if the path in `output_tts_path`…
more
exists, and if yes, removes that path, which leads to arbitrary file removal. As of time of publication, no known patches are available.
Deeper analysisAI
CVE-2025-27786 is an arbitrary file removal vulnerability (CWE-22) affecting Applio, an open-source voice conversion tool, in versions 3.2.8-bugfix and prior. The issue originates in the TTS functionality where the `output_tts_path` parameter in tts.py accepts arbitrary user input and passes it directly to the `run_tts_script` function in core.py. This function performs an existence check on the provided path and deletes it if found, enabling path traversal without proper validation.
The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating it can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation allows attackers to delete arbitrary files on the affected system, potentially disrupting operations or exposing sensitive data through targeted removals.
As of the CVE publication on 2025-03-19T21:15:40.787, no patches are available. Mitigation details and technical analysis are provided in the GitHub Security Lab advisory (GHSL-2024-341_GHSL-2024-353_Applio), with vulnerable code visible at core.py line 329 and tts.py line 133 in the referenced repository commit.
Details
- CWE(s)