CVE-2025-27782
Published: 19 March 2025
Description
Adversaries may abuse Python commands and scripts for execution.
Security Summary
CVE-2025-27782 is an arbitrary file write vulnerability (CWE-22) in Applio, an open-source voice conversion tool. It affects versions 3.2.8-bugfix and prior, specifically within the inference.py component. The flaw enables attackers to write arbitrary files on the Applio server, with code locations referenced in inference.py lines 1632-1645, 295, and 989-1002, as well as tts.py lines 309-322. The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), reflecting its network accessibility, low attack complexity, and lack of prerequisites.
Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction or privileges (AV:N/AC:L/PR:N/UI:N/S:U), potentially achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The arbitrary file write can be chained with an unsafe deserialization mechanism to enable remote code execution on the Applio server.
The GitHub Security Lab advisory (GHSL-2024-341_GHSL-2024-353_Applio) documents the issue but notes that, as of the CVE's publication on 2025-03-19T21:15:40.267, no patches or mitigations are available for affected versions. Security practitioners should monitor the Applio repository for updates and consider restricting network access to Applio instances until remediation is released.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a critical unauthenticated arbitrary file write in a public-facing Applio server application that chains with unsafe deserialization to enable RCE, directly mapping to T1190 for initial exploitation and T1059.006 for Python-based command execution.