Cyber Resilience

CVE-2025-27779

HighRCE

Published: 19 March 2025

Published
19 March 2025
Modified
01 August 2025
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1040 93.4th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27779 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Applio Applio. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Applio, an open-source voice conversion tool, is affected by unsafe deserialization in versions 3.2.8-bugfix and earlier. The flaw resides in model_blender.py, where torch.load is called on lines 20-21 without safeguards; user-controlled model paths supplied via voice_blender.py functions model_fusion_a and model_fusion_b are passed through run_model_blender_script directly into this deserialization routine, triggering CWE-502.

An unauthenticated remote attacker can supply a malicious model path over the network and achieve arbitrary code execution on the server, as the CVSS 8.9 vector indicates no authentication or user interaction is required and impacts confidentiality, integrity, and availability.

The referenced GitHub advisory and commit 11d1395 on the main branch describe a patch that addresses the unsafe torch.load calls; practitioners should update to a build containing this change or apply equivalent input validation and safe-loading practices before processing externally supplied models.

The EPSS score rose from a low baseline to a peak of 0.1463, indicating emerging exploitation interest after disclosure. The issue occurs in a machine-learning workflow that loads untrusted PyTorch artifacts, a pattern that has produced similar remote-code-execution flaws in other model-handling codebases.

EU & UK References

Vulnerability details

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in `model_blender.py` lines 20 and 21. `model_fusion_a` and `model_fusion_b` from voice_blender.py take user-supplied input (e.g. a path to a model) and pass that value to…

more

the `run_model_blender_script` and later to `model_blender` function, which loads these two models with `torch.load` in `model_blender.py (on lines 20-21 in 3.2.8-bugfix), which is vulnerable to unsafe deserialization. The issue can lead to remote code execution. A patch is available on the `main` branch of the Applio repository.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Unsafe deserialization via torch.load on untrusted user input in Python app enables remote exploitation of public-facing application (T1190) leading to arbitrary code execution via Python interpreter (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27780Same product: Applio Applio
CVE-2025-27781Same product: Applio Applio
CVE-2025-27778Same product: Applio Applio
CVE-2025-27782Same product: Applio Applio
CVE-2025-27783Same product: Applio Applio
CVE-2025-27786Same product: Applio Applio
CVE-2025-27777Same product: Applio Applio
CVE-2025-27785Same product: Applio Applio
CVE-2025-27787Same product: Applio Applio
CVE-2025-27784Same product: Applio Applio

Affected Assets

applio
applio
≤ 3.2.8-bugfix

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring timely remediation through patching the unsafe deserialization in model_blender.py as available in the Applio main branch.

prevent

Mandates validation of user-supplied model paths and files (model_fusion_a and model_fusion_b) prior to deserialization with torch.load to block malicious inputs.

preventdetect

Provides integrity checks on loaded models and monitors for unauthorized modifications or malicious code execution resulting from unsafe deserialization.

References