CVE-2025-27779
Published: 19 March 2025
Summary
CVE-2025-27779 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Applio Applio. Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Applio, an open-source voice conversion tool, is affected by unsafe deserialization in versions 3.2.8-bugfix and earlier. The flaw resides in model_blender.py, where torch.load is called on lines 20-21 without safeguards; user-controlled model paths supplied via voice_blender.py functions model_fusion_a and model_fusion_b are passed through run_model_blender_script directly into this deserialization routine, triggering CWE-502.
An unauthenticated remote attacker can supply a malicious model path over the network and achieve arbitrary code execution on the server, as the CVSS 8.9 vector indicates no authentication or user interaction is required and impacts confidentiality, integrity, and availability.
The referenced GitHub advisory and commit 11d1395 on the main branch describe a patch that addresses the unsafe torch.load calls; practitioners should update to a build containing this change or apply equivalent input validation and safe-loading practices before processing externally supplied models.
The EPSS score rose from a low baseline to a peak of 0.1463, indicating emerging exploitation interest after disclosure. The issue occurs in a machine-learning workflow that loads untrusted PyTorch artifacts, a pattern that has produced similar remote-code-execution flaws in other model-handling codebases.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6791
Vulnerability details
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in `model_blender.py` lines 20 and 21. `model_fusion_a` and `model_fusion_b` from voice_blender.py take user-supplied input (e.g. a path to a model) and pass that value to…
more
the `run_model_blender_script` and later to `model_blender` function, which loads these two models with `torch.load` in `model_blender.py (on lines 20-21 in 3.2.8-bugfix), which is vulnerable to unsafe deserialization. The issue can lead to remote code execution. A patch is available on the `main` branch of the Applio repository.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization via torch.load on untrusted user input in Python app enables remote exploitation of public-facing application (T1190) leading to arbitrary code execution via Python interpreter (T1059.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by requiring timely remediation through patching the unsafe deserialization in model_blender.py as available in the Applio main branch.
Mandates validation of user-supplied model paths and files (model_fusion_a and model_fusion_b) prior to deserialization with torch.load to block malicious inputs.
Provides integrity checks on loaded models and monitors for unauthorized modifications or malicious code execution resulting from unsafe deserialization.