CVE-2025-27778

CriticalRCE

Published: 19 March 2025

Published

19 March 2025

Modified

01 August 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0443 89.1th percentile

Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27778 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Applio Applio. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the unsafe deserialization vulnerability in infer.py by applying the available fix from the Applio main branch.

SI-10 Information Input Validation good match

prevent

Validates untrusted network inputs to infer.py, inference.py, and tts.py to block malicious deserialization payloads leading to RCE.

SI-16 Memory Protection partial match

prevent

Provides memory protections such as ASLR and DEP to hinder arbitrary code execution resulting from unsafe deserialization exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unsafe deserialization vulnerability enabling remote unauthenticated RCE via malicious input to network-accessible components (infer.py etc.) in the application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in `infer.py`. The issue can lead to remote code execution. As of time of publication, a fix is available on the `main` branch of the…

Applio repository but not attached to a numbered release.

Deeper analysisAI

CVE-2025-27778 is an unsafe deserialization vulnerability (CWE-502) affecting Applio, an open-source voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable due to improper handling in the `infer.py` module, which can lead to remote code execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, and no requirements for privileges or user interaction.

Remote, unauthenticated attackers can exploit this vulnerability over the network by providing malicious input that triggers deserialization in components such as `infer.py`, `inference.py`, and `tts.py`. Successful exploitation allows arbitrary code execution on the target system, resulting in high impacts to confidentiality, integrity, and availability.

Mitigation is available via commits on the main branch of the Applio GitHub repository (IAHispano/Applio), including 16019befdcbbff0b264a5e30785feef4b70df8d9 and eb21d9dd349a6ae1a28c440b30d306eafba65097, though no numbered release includes the fix as of publication on 2025-03-19. Security practitioners should advise users to update from the main branch and review the referenced code locations for unsafe deserialization patterns.

Details

CWE(s): CWE-502

Affected Products

applio

≤ 3.2.8-bugfix

CVEs Like This One

CVE-2025-27780Same product: Applio Applio

CVE-2025-27781Same product: Applio Applio

CVE-2025-27779Same product: Applio Applio

CVE-2025-27782Same product: Applio Applio

CVE-2025-27785Same product: Applio Applio

CVE-2025-27777Same product: Applio Applio

CVE-2025-27783Same product: Applio Applio

CVE-2025-27786Same product: Applio Applio

CVE-2025-27787Same product: Applio Applio

CVE-2025-27784Same product: Applio Applio

References

https://github.com/IAHispano/Applio/blob/29b4a00e4be209f9aac51cd9ccffcc632dfb2973/rvc/infer/infer.py#L464
Product · security-advisories@github.com
https://github.com/IAHispano/Applio/blob/29b4a00e4be209f9aac51cd9ccffcc632dfb2973/tabs/inference/inference.py#L338-L345
Product · security-advisories@github.com
https://github.com/IAHispano/Applio/blob/29b4a00e4be209f9aac51cd9ccffcc632dfb2973/tabs/tts/tts.py#L50-L57
Product · security-advisories@github.com
https://github.com/IAHispano/Applio/commit/16019befdcbbff0b264a5e30785feef4b70df8d9
Patch · security-advisories@github.com
https://github.com/IAHispano/Applio/commit/eb21d9dd349a6ae1a28c440b30d306eafba65097
Patch · security-advisories@github.com
https://securitylab.github.com/advisories/GHSL-2024-341_GHSL-2024-353_Applio/
Vendor Advisory · security-advisories@github.com