CVE-2025-27781
Published: 19 March 2025
Summary
CVE-2025-27781 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Applio Applio. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses the unsafe deserialization vulnerability by applying the available patch from the Applio main branch.
Information input validation ensures user-supplied model_file paths and contents are checked before passing to torch.load, preventing unsafe deserialization.
Software integrity verification requires cryptographic checks on model files prior to loading, mitigating risks from maliciously crafted deserialization payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization in public-facing Applio app enables unauthenticated remote code execution via malicious model input to torch.load, directly facilitating T1190 (Exploit Public-Facing Application) for initial access and T1059.006 (Python) for arbitrary code execution.
NVD Description
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in inference.py. `model_file` in inference.py as well as `model_file` in tts.py take user-supplied input (e.g. a path to a model) and pass that value to…
more
the `change_choices` and later to `get_speakers_id` function, which loads that model with `torch.load` in inference.py (line 326 in 3.2.8-bugfix), which is vulnerable to unsafe deserialization. The issue can lead to remote code execution. A patch is available on the `main` branch of the repository.
Deeper analysisAI
CVE-2025-27781 is an unsafe deserialization vulnerability (CWE-502) in Applio, an open-source voice conversion tool. It affects versions 3.2.8-bugfix and prior. The issue stems from the inference.py and tts.py modules, where the model_file parameter accepts user-supplied input, such as a model path. This value is passed to the change_choices and get_speakers_id functions, which invoke torch.load at line 326 in inference.py (version 3.2.8-bugfix) on untrusted data, enabling arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vulnerability can be exploited by any unauthenticated attacker over the network with low complexity and no user interaction. By providing a malicious model file path, an attacker can trigger deserialization of crafted payloads during model loading, resulting in remote code execution on the victim's system with high impacts to confidentiality, integrity, and availability.
Mitigation is available via a patch on the main branch of the Applio GitHub repository (commit eb21d9dd349a6ae1a28c440b30d306eafba65097). Security practitioners should advise users to update immediately. Additional details are provided in the GitHub Security Lab advisory (GHSL-2024-341_GHSL-2024-353) and affected code references.
As a PyTorch-based voice conversion tool, this vulnerability underscores deserialization risks in AI/ML inference pipelines where user-controlled model inputs are common. No public evidence of real-world exploitation has been reported as of publication on 2025-03-19.
Details
- CWE(s)