CVE-2025-27784
Published: 19 March 2025
Description
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Security Summary
CVE-2025-27784 is an arbitrary file read vulnerability in Applio, an open-source voice conversion tool. It affects versions 3.2.8-bugfix and prior, stemming from improper handling in the `export_pth` function within the train.py module. The flaw, associated with CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and no requirements for privileges or user interaction.
Remote attackers can exploit this vulnerability without authentication by triggering the flawed export function, enabling them to read arbitrary files on the Applio server. When combined with blind server-side request forgery, it allows extraction of files from internal network servers that the Applio instance can access, potentially exposing sensitive configuration, credentials, or other data.
The GitHub Security Lab advisory (GHSL-2024-341 and GHSL-2024-353) details the issue with references to specific code lines in train.py but notes no patches are available as of the CVE's publication on 2025-03-19. Security practitioners should monitor the Applio repository for updates and consider network segmentation or disabling the affected train functionality until remediation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Arbitrary file read in public-facing app enables remote exploitation (T1190), direct local file access (T1005), and extraction of credentials from files (T1552.001).