CVE-2025-27777

Source
https://cve.org/CVERecord?id=CVE-2025-27777
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27777.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-27777
Published
2025-03-19T20:42:29.180Z
Modified
2026-04-10T05:25:07.062062Z
Severity
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Applio allows SSRF and file write in model_download.py
Details

Applio is a voice conversion tool. Versions 3.2.7 and prior are vulnerable to server-side request forgery (SSRF) in model_download.py (line 195 in 3.2.7). The blind SSRF allows for sending requests on behalf of Applio server and can be leveraged to probe for other vulnerabilities on the server itself or on other back-end systems on the internal network, that the Applio server can reach. The blind SSRF can also be coupled with a arbitrary file read (e.g., CVE-2025-27784) to read files from hosts on the internal network, that the Applio server can reach, which would make it a full SSRF. As of time of publication, no known patches are available.

Database specific
{
    "cwe_ids": [
        "CWE-918"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27777.json"
}
References

Affected packages

Git / github.com/iahispano/applio

Affected ranges

Type
GIT
Repo
https://github.com/iahispano/applio
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.2.7"
        }
    ]
}

Affected versions

3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.1.0
3.1.1
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.6
3.2.7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27777.json"