CVE-2025-27787
Published: 19 March 2025
Summary
CVE-2025-27787 is a high-severity Path Traversal (CWE-22) vulnerability in Applio Applio. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates unsanitized user-supplied model_name inputs to prevent path traversal and access to arbitrary malicious config.json files containing process IDs.
Protects against or limits the effects of DoS attacks that terminate Applio processes and potentially other critical processes via exploited endpoints.
Enforces least privilege on the Applio application to restrict its ability to terminate unauthorized or system-critical processes listed in malicious config.json.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing web app (restart/train endpoints) via path traversal to read attacker-planted config.json and terminate listed PIDs, directly enabling application exploitation for endpoint DoS.
NVD Description
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to denial of service (DoS) in restart.py. `model_name` in train.py takes user input, and passes it to the `stop_train` function in restart.py, which uses it construct a path…
more
to a folder with `config.json`. That `config.json` is opened and the list of values under "process_pids" are read. Next all the process IDs listed in the JSON are killed. Using one of the arbitrary file writes, one can write to `logs/foobar` a `config.json` file, which contains a list of process IDs. Then one can access this endpoint to kill these processes. Since an attacker can't know what process is running on which process ID, they can send a list of hundreds of process IDs, which can kill the process that applio is using to run, as well as other, potentially important processes, which leads to DoS. Note that constructing a path with user input also enables path traversal. For example, by supplying "../../" in `model_name` one can access `config.json` freom locations two folders down on the server. As of time of publication, no known patches are available.
Deeper analysisAI
CVE-2025-27787 is a denial-of-service (DoS) vulnerability affecting Applio, an open-source voice conversion tool, in versions 3.2.8-bugfix and prior. The issue resides in the restart.py component, where the user-supplied model_name parameter from train.py is passed unsanitized to the stop_train function. This constructs a file path to a config.json file, which is then read to extract a list of process IDs under "process_pids" and terminate those processes. The vulnerability enables path traversal (CWE-22), such as using "../../" in model_name to access config.json files from arbitrary locations, and improper handling akin to injection flaws (CWE-74). The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A remote, unauthenticated attacker can exploit this by first leveraging an arbitrary file write primitive—mentioned in the advisory as a prerequisite—to create a malicious config.json in a controllable location like logs/foobar, populated with a list of process IDs. The attacker then supplies a crafted model_name (e.g., "logs/foobar" or path-traversed equivalents) to trigger the endpoint, causing the server to kill all listed processes. By including hundreds of process IDs, the attacker induces widespread process termination, including Applio's own processes and potentially other critical system processes, resulting in effective DoS.
The GitHub Security Lab advisory (GHSL-2024-354) details the flaw with references to specific code lines in restart.py (L9) and train.py (L306), but as of publication on 2025-03-19, no patches or mitigations are available for Applio.
Applio's role as a voice conversion tool suggests relevance to AI/ML workflows, where model training and process management are common, heightening the risk in shared or exposed development environments. No real-world exploitation has been reported.
Details
- CWE(s)