CVE-2025-27786
Published: 19 March 2025
Description
Adversaries may delete files left behind by the actions of their intrusion activity.
Security Summary
CVE-2025-27786 is an arbitrary file removal vulnerability (CWE-22) affecting Applio, an open-source voice conversion tool, in versions 3.2.8-bugfix and prior. The issue originates in the TTS functionality where the `output_tts_path` parameter in tts.py accepts arbitrary user input and passes it directly to the `run_tts_script` function in core.py. This function performs an existence check on the provided path and deletes it if found, enabling path traversal without proper validation.
The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating it can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation allows attackers to delete arbitrary files on the affected system, potentially disrupting operations or exposing sensitive data through targeted removals.
As of the CVE publication on 2025-03-19T21:15:40.787, no patches are available. Mitigation details and technical analysis are provided in the GitHub Security Lab advisory (GHSL-2024-341_GHSL-2024-353_Applio), with vulnerable code visible at core.py line 329 and tts.py line 133 in the referenced repository commit.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Remote unauthenticated path traversal in public-facing TTS functionality directly enables exploitation of public-facing apps (T1190) and arbitrary file deletion (T1070.004).