CVE-2025-27781
Published: 19 March 2025
Summary
CVE-2025-27781 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Applio Applio. Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Applio, an open-source voice conversion tool, is affected by an unsafe deserialization vulnerability in versions 3.2.8-bugfix and earlier. The flaw resides in inference.py and tts.py, where user-supplied model_file inputs are passed through change_choices and get_speakers_id before being loaded via torch.load at inference.py line 326, enabling arbitrary code execution through crafted serialized objects. The issue is tracked as CWE-502 and carries a CVSS 4.0 score of 8.9.
An unauthenticated remote attacker can exploit the vulnerability by supplying a malicious model path over the network, achieving full remote code execution with impacts to confidentiality, integrity, and availability. No user interaction or special privileges are required, and the attack surface is exposed through the inference and TTS interfaces.
A fix has been committed to the main branch of the Applio repository, addressing the unsafe torch.load usage. The associated GitHub Security Lab advisory (GHSL-2024-341/GHSL-2024-353) and linked code references detail the affected paths and the remediation change.
The EPSS score has reached a peak of 0.1292 with a current value of 0.1040.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6784
Vulnerability details
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in inference.py. `model_file` in inference.py as well as `model_file` in tts.py take user-supplied input (e.g. a path to a model) and pass that value to…
more
the `change_choices` and later to `get_speakers_id` function, which loads that model with `torch.load` in inference.py (line 326 in 3.2.8-bugfix), which is vulnerable to unsafe deserialization. The issue can lead to remote code execution. A patch is available on the `main` branch of the repository.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization in public-facing Applio app enables unauthenticated remote code execution via malicious model input to torch.load, directly facilitating T1190 (Exploit Public-Facing Application) for initial access and T1059.006 (Python) for arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses the unsafe deserialization vulnerability by applying the available patch from the Applio main branch.
Information input validation ensures user-supplied model_file paths and contents are checked before passing to torch.load, preventing unsafe deserialization.
Software integrity verification requires cryptographic checks on model files prior to loading, mitigating risks from maliciously crafted deserialization payloads.