CVE-2025-27777
Published: 19 March 2025
Description
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Security Summary
CVE-2025-27777 is a server-side request forgery (SSRF) vulnerability in Applio, an open-source voice conversion tool. Versions 3.2.7 and prior are affected, with the flaw located in the `model_download.py` file at line 195. This blind SSRF allows attackers to force the Applio server to send requests on their behalf, as documented in the CVE description and referenced GitHub code locations including `assets/flask/routes.py` and `tabs/download/download.py`. The vulnerability is rated 7.5 (High) under CVSS 3.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-918.
Any unauthenticated attacker with network access to the Applio server can exploit this blind SSRF to probe for other vulnerabilities on the server itself or on backend systems reachable by the Applio server within the internal network. Exploitation enables port scanning, service discovery, or chaining with other issues, such as the arbitrary file read in CVE-2025-27784, to achieve full SSRF and read files from internal hosts accessible to the server.
The GitHub Security Lab advisory (GHSL-2024-341_GHSL-2024-353_Applio) details the issue but notes that, as of publication on 2025-03-19, no patches are available for this vulnerability. Security practitioners should monitor the Applio repository for updates and consider network segmentation or disabling the affected model download functionality until remediation is released.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SSRF in public-facing web app directly enables exploitation via T1190; blind SSRF facilitates internal port scanning and service discovery via T1046.