Cyber Resilience

CVE-2025-27781

HighRCE

Published: 19 March 2025

Published
19 March 2025
Modified
01 August 2025
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1040 93.4th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27781 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Applio Applio. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Applio, an open-source voice conversion tool, is affected by an unsafe deserialization vulnerability in versions 3.2.8-bugfix and earlier. The flaw resides in inference.py and tts.py, where user-supplied model_file inputs are passed through change_choices and get_speakers_id before being loaded via torch.load at inference.py line 326, enabling arbitrary code execution through crafted serialized objects. The issue is tracked as CWE-502 and carries a CVSS 4.0 score of 8.9.

An unauthenticated remote attacker can exploit the vulnerability by supplying a malicious model path over the network, achieving full remote code execution with impacts to confidentiality, integrity, and availability. No user interaction or special privileges are required, and the attack surface is exposed through the inference and TTS interfaces.

A fix has been committed to the main branch of the Applio repository, addressing the unsafe torch.load usage. The associated GitHub Security Lab advisory (GHSL-2024-341/GHSL-2024-353) and linked code references detail the affected paths and the remediation change.

The EPSS score has reached a peak of 0.1292 with a current value of 0.1040.

EU & UK References

Vulnerability details

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in inference.py. `model_file` in inference.py as well as `model_file` in tts.py take user-supplied input (e.g. a path to a model) and pass that value to…

more

the `change_choices` and later to `get_speakers_id` function, which loads that model with `torch.load` in inference.py (line 326 in 3.2.8-bugfix), which is vulnerable to unsafe deserialization. The issue can lead to remote code execution. A patch is available on the `main` branch of the repository.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Unsafe deserialization in public-facing Applio app enables unauthenticated remote code execution via malicious model input to torch.load, directly facilitating T1190 (Exploit Public-Facing Application) for initial access and T1059.006 (Python) for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27780Same product: Applio Applio
CVE-2025-27779Same product: Applio Applio
CVE-2025-27778Same product: Applio Applio
CVE-2025-27782Same product: Applio Applio
CVE-2025-27783Same product: Applio Applio
CVE-2025-27786Same product: Applio Applio
CVE-2025-27777Same product: Applio Applio
CVE-2025-27785Same product: Applio Applio
CVE-2025-27787Same product: Applio Applio
CVE-2025-27784Same product: Applio Applio

Affected Assets

applio
applio
≤ 3.2.8-bugfix

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses the unsafe deserialization vulnerability by applying the available patch from the Applio main branch.

prevent

Information input validation ensures user-supplied model_file paths and contents are checked before passing to torch.load, preventing unsafe deserialization.

prevent

Software integrity verification requires cryptographic checks on model files prior to loading, mitigating risks from maliciously crafted deserialization payloads.

References