CVE-2025-27780
Published: 19 March 2025
Summary
CVE-2025-27780 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Applio Applio. Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Deeper analysis
Applio, an open-source voice conversion tool, contains an unsafe deserialization vulnerability in versions 3.2.8-bugfix and earlier. The flaw resides in model_information.py, where user-supplied input such as a model path is passed through run_model_information_script to the model_information function, which invokes torch.load without safeguards in rvc/train/process/model_information.py. This triggers CWE-502 and permits arbitrary code execution during deserialization.
An unauthenticated attacker with network access can supply a malicious model file or path, causing the application to load and execute attacker-controlled payloads via the vulnerable torch.load call. Successful exploitation grants remote code execution with the privileges of the Applio process, affecting confidentiality, integrity, and availability.
A fix has been merged into the main branch of the IAHispano/Applio repository, addressing the unsafe loading path. The referenced GitHub Security Lab advisory (GHSL-2024-341) details the issue and points to the corrective commit.
EPSS for this CVE rose from a low baseline to a peak of 0.1725 before settling at 0.1349, indicating growing exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6797
Vulnerability details
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in model_information.py. `model_name` in model_information.py takes user-supplied input (e.g. a path to a model) and pass that value to the `run_model_information_script` and later to `model_information`…
more
function, which loads that model with `torch.load` in rvc/train/process/model_information.py (on line 16 in 3.2.8-bugfix), which is vulnerable to unsafe deserialization. The issue can lead to remote code execution. A patch is available in the `main` branch of the repository.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization via torch.load enables remote unauthenticated RCE in a network-accessible function (T1190) and arbitrary Python code execution (T1059.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the unsafe deserialization flaw in model_information.py by applying the available patch from the Applio repository.
Validates user-supplied model_name inputs and associated file contents before passing to torch.load to block malicious deserialization payloads.
Verifies the integrity of user-supplied model files prior to deserialization to prevent execution of tampered code leading to RCE.