Home » Database

AVID-2026-R1675

Description

Applio allows arbitrary file write in inference.py (CVE-2025-27782)

Details

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file write in inference.py. This issue may lead to writing arbitrary files on the Applio server. It can also be used in conjunction with an unsafe deserialization to achieve remote code execution. As of time of publication, no known patches are available.

Reason for inclusion in AVID: CVE-2025-27782 describes a software vulnerability in Applio (an AI-related tool for voice conversion) that allows arbitrary file write in inference.py and can lead to remote code execution via unsafe deserialization. This is a software vulnerability within an AI tooling/component that could be part of AI pipelines (inference/serving workflows). It affects the AI software stack (not hardware/firmware) and relates to components used to build/deploy AI systems, fitting the supply-chain focus on dependencies, runtimes, and orchestration within general-purpose AI environments. The description and references provide explicit security risk (RCE via path traversal and unsafe deserialization) and evidence of the affected code paths.

References

Affected or Relevant Artifacts

  • Developer: IAHispano
  • Deployer: IAHispano
  • Artifact Details:
TypeName
SystemApplio

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CWE

IDDescription
CWE-22CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2025-03-19
  • Version: 0.3.3
  • AVID Entry