CVE-2025-27783
Published: 19 March 2025
Description
Adversaries may abuse Python commands and scripts for execution.
Security Summary
CVE-2025-27783 is an arbitrary file write vulnerability (CWE-22) in Applio, an open-source voice conversion tool. It affects versions 3.2.8-bugfix and prior, specifically within the train.py component. The flaw enables attackers to write arbitrary files on the Applio server and can be chained with an unsafe deserialization issue to achieve remote code execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.
Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By targeting the affected train.py code paths, they can overwrite or create files at arbitrary locations on the server, potentially leading to full system compromise when combined with deserialization flaws for remote code execution.
The GitHub Security Lab advisory (GHSL-2024-341 and GHSL-2024-353) identifies the issue in train.py lines 212-225 and 484-491, as well as inference.py line 295. As of the CVE publication on 2025-03-19, no patches are available, leaving users to mitigate by avoiding vulnerable versions or restricting network access to Applio servers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Remote unauthenticated arbitrary file write in public-facing Applio server (T1190) chained with unsafe deserialization for Python-based RCE (T1059.006).