CVE-2025-27787

Name of the Vulnerable Software and Affected Versions Applio versions 3.2.8-bugfix and prior

Description Applio is a voice conversion tool that is vulnerable to denial of service (DoS). The issue arises from the model name in train.py, which takes user input and passes it to the stop train function in restart.py. This function uses the input to construct a path to a folder with config.json, which is then opened, and the list of values under "process pids" are read. An attacker can exploit this by writing a config.json file to an arbitrary location, such as logs/foobar, with a list of process IDs. By accessing a specific endpoint, an attacker can kill these processes, potentially leading to DoS. Additionally, the construction of a path with user input enables path traversal, allowing an attacker to access config.json from other locations on the server.

Recommendations For versions 3.2.8-bugfix and prior, as a temporary workaround, consider disabling the stop train function in restart.py until a patch is available. Restrict access to the model name input in train.py to minimize the risk of exploitation. Avoid using the model name parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.