VYPR
High severity7.5NVD Advisory· Published Mar 19, 2025· Updated Jun 17, 2026

CVE-2025-27787

CVE-2025-27787

Description

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to denial of service (DoS) in restart.py. model_name in train.py takes user input, and passes it to the stop_train function in restart.py, which uses it construct a path to a folder with config.json. That config.json is opened and the list of values under "process_pids" are read. Next all the process IDs listed in the JSON are killed. Using one of the arbitrary file writes, one can write to logs/foobar a config.json file, which contains a list of process IDs. Then one can access this endpoint to kill these processes. Since an attacker can't know what process is running on which process ID, they can send a list of hundreds of process IDs, which can kill the process that applio is using to run, as well as other, potentially important processes, which leads to DoS. Note that constructing a path with user input also enables path traversal. For example, by supplying "../../" in model_name one can access config.json freom locations two folders down on the server. As of time of publication, no known patches are available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • GitHub/Appliollm-create
    Range: <=3.2.8-bugfix
  • Applio/Appliollm-fuzzy
    Range: <=3.2.8-bugfix
  • IAHispano/Appliov5
    Range: <= 3.2.8-bugfix

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.