Cyber Resilience

CVE-2025-27780

HighRCE

Published: 19 March 2025

Published
19 March 2025
Modified
01 August 2025
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1349 94.4th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27780 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Applio Applio. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

Applio, an open-source voice conversion tool, contains an unsafe deserialization vulnerability in versions 3.2.8-bugfix and earlier. The flaw resides in model_information.py, where user-supplied input such as a model path is passed through run_model_information_script to the model_information function, which invokes torch.load without safeguards in rvc/train/process/model_information.py. This triggers CWE-502 and permits arbitrary code execution during deserialization.

An unauthenticated attacker with network access can supply a malicious model file or path, causing the application to load and execute attacker-controlled payloads via the vulnerable torch.load call. Successful exploitation grants remote code execution with the privileges of the Applio process, affecting confidentiality, integrity, and availability.

A fix has been merged into the main branch of the IAHispano/Applio repository, addressing the unsafe loading path. The referenced GitHub Security Lab advisory (GHSL-2024-341) details the issue and points to the corrective commit.

EPSS for this CVE rose from a low baseline to a peak of 0.1725 before settling at 0.1349, indicating growing exploitation interest after public disclosure.

EU & UK References

Vulnerability details

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in model_information.py. `model_name` in model_information.py takes user-supplied input (e.g. a path to a model) and pass that value to the `run_model_information_script` and later to `model_information`…

more

function, which loads that model with `torch.load` in rvc/train/process/model_information.py (on line 16 in 3.2.8-bugfix), which is vulnerable to unsafe deserialization. The issue can lead to remote code execution. A patch is available in the `main` branch of the repository.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Unsafe deserialization via torch.load enables remote unauthenticated RCE in a network-accessible function (T1190) and arbitrary Python code execution (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27779Same product: Applio Applio
CVE-2025-27781Same product: Applio Applio
CVE-2025-27778Same product: Applio Applio
CVE-2025-27782Same product: Applio Applio
CVE-2025-27783Same product: Applio Applio
CVE-2025-27786Same product: Applio Applio
CVE-2025-27777Same product: Applio Applio
CVE-2025-27785Same product: Applio Applio
CVE-2025-27787Same product: Applio Applio
CVE-2025-27784Same product: Applio Applio

Affected Assets

applio
applio
≤ 3.2.8-bugfix

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the unsafe deserialization flaw in model_information.py by applying the available patch from the Applio repository.

prevent

Validates user-supplied model_name inputs and associated file contents before passing to torch.load to block malicious deserialization payloads.

prevent

Verifies the integrity of user-supplied model files prior to deserialization to prevent execution of tampered code leading to RCE.

References