CVE-2025-27779
Published: 19 March 2025
Summary
CVE-2025-27779 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Applio Applio. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring timely remediation through patching the unsafe deserialization in model_blender.py as available in the Applio main branch.
Mandates validation of user-supplied model paths and files (model_fusion_a and model_fusion_b) prior to deserialization with torch.load to block malicious inputs.
Provides integrity checks on loaded models and monitors for unauthorized modifications or malicious code execution resulting from unsafe deserialization.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization via torch.load on untrusted user input in Python app enables remote exploitation of public-facing application (T1190) leading to arbitrary code execution via Python interpreter (T1059.006).
NVD Description
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in `model_blender.py` lines 20 and 21. `model_fusion_a` and `model_fusion_b` from voice_blender.py take user-supplied input (e.g. a path to a model) and pass that value to…
more
the `run_model_blender_script` and later to `model_blender` function, which loads these two models with `torch.load` in `model_blender.py (on lines 20-21 in 3.2.8-bugfix), which is vulnerable to unsafe deserialization. The issue can lead to remote code execution. A patch is available on the `main` branch of the Applio repository.
Deeper analysisAI
CVE-2025-27779 is an unsafe deserialization vulnerability affecting Applio, an open-source voice conversion tool, in versions 3.2.8-bugfix and prior. The issue resides in the `model_blender.py` file at lines 20 and 21, where the `model_blender` function uses `torch.load` to load two models specified by user-supplied inputs (`model_fusion_a` and `model_fusion_b`) sourced from `voice_blender.py`. These inputs, such as paths to models, are passed through `run_model_blender_script` without proper validation, enabling deserialization of untrusted data and classified under CWE-502. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A remote, unauthenticated attacker can exploit this vulnerability by tricking a user into providing a malicious model path or file via the voice blender feature. Successful exploitation leads to arbitrary remote code execution on the victim's machine, with high impact on confidentiality, integrity, and availability, as the deserialization occurs without privileges or user interaction beyond supplying the input.
Mitigation is available via a patch committed to the main branch of the Applio GitHub repository (commit 11d139508d615a6db4d48b76634a443c66170dda). Security practitioners should advise users to update to the latest version from the main branch and avoid loading untrusted model files. Additional details are provided in the GitHub Security Lab advisory (GHSL-2024-341_GHSL-2024-353_Applio) and affected code references.
Details
- CWE(s)