PT-2025-11985 · Applio · Applio

Sylwia Budzynska

Published

2025-03-19

Updated

2025-03-20

CVE-2025-27785

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Applio versions 3.2.8-bugfix and prior

Description The issue is related to arbitrary file read in the export index function of train.py. This may lead to reading arbitrary files on the Applio server. It can also be used in conjunction with blind server-side request forgery to read files from servers on the internal network that the Applio server has access to.

Recommendations For versions 3.2.8-bugfix and prior, as a temporary workaround, consider disabling the export index function in train.py until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Information Disclosure

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-22

Related Identifiers

CVE-2025-27785

Affected Products

Applio

PT-2025-11985 · Applio · Applio

CVE-2025-27785

Weakness Enumeration

Related Identifiers

Affected Products

References · 11