CVE-2025-27785

CVE-2025-27785 is an arbitrary file read vulnerability affecting Applio, an open-source voice conversion tool, in versions 3.2.8-bugfix and prior. The flaw resides in the `export_index` function within the `train.py` module, enabling attackers to read arbitrary files on the Applio server. It is classified under CWE-22 (Path Traversal) and CWE-200 (Exposure of Sensitive Information), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact from network access without authentication.

Any unauthenticated attacker with network access to an affected Applio instance can exploit this vulnerability by manipulating inputs to the `export_index` function, resulting in the disclosure of sensitive files on the server. Exploitation can be chained with blind server-side request forgery (SSRF) to access files on internal network servers reachable by the Applio instance, potentially exposing configuration data, credentials, or other restricted resources.

The GitHub Security Lab advisory (GHSL-2024-341 and GHSL-2024-353) details the vulnerability with references to specific lines in `train.py` (L273 and L816). As of the CVE publication on 2025-03-19, no patches or mitigations are available for Applio. Security practitioners should isolate Applio instances from untrusted networks, monitor for anomalous file access attempts, and consider custom input validation until upstream fixes are released.