CVE-2025-27780
Published: 19 March 2025
Summary
CVE-2025-27780 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Applio Applio. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the unsafe deserialization flaw in model_information.py by applying the available patch from the Applio repository.
Validates user-supplied model_name inputs and associated file contents before passing to torch.load to block malicious deserialization payloads.
Verifies the integrity of user-supplied model files prior to deserialization to prevent execution of tampered code leading to RCE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization via torch.load enables remote unauthenticated RCE in a network-accessible function (T1190) and arbitrary Python code execution (T1059.006).
NVD Description
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in model_information.py. `model_name` in model_information.py takes user-supplied input (e.g. a path to a model) and pass that value to the `run_model_information_script` and later to `model_information`…
more
function, which loads that model with `torch.load` in rvc/train/process/model_information.py (on line 16 in 3.2.8-bugfix), which is vulnerable to unsafe deserialization. The issue can lead to remote code execution. A patch is available in the `main` branch of the repository.
Deeper analysisAI
CVE-2025-27780 is an unsafe deserialization vulnerability (CWE-502) in Applio, an open-source voice conversion tool. Versions 3.2.8-bugfix and prior are affected due to improper handling of user-supplied input in model_information.py. The model_name parameter accepts input such as a path to a model file, which is passed to run_model_information_script and then to the model_information function. This function loads the model using torch.load on line 16 of rvc/train/process/model_information.py, enabling unsafe deserialization.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Unauthenticated attackers can exploit it over the network with low complexity and no user interaction, achieving remote code execution on the target system.
A patch addressing the issue is available in the main branch of the Applio GitHub repository via commit 11d139508d615a6db4d48b76634a443c66170dda. The GitHub Security Lab advisory (GHSL-2024-341_GHSL-2024-353_Applio) provides further details on the flaw and remediation.
Applio uses PyTorch for loading machine learning models in voice conversion workflows, underscoring deserialization risks in AI/ML applications handling untrusted model files. No public evidence of real-world exploitation is available.
Details
- CWE(s)