Unrated severityNVD Advisory· Published Mar 19, 2025· Updated Mar 20, 2025

Applio allows unsafe deserialization in model_blender.py

CVE-2025-27779

Description

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in model_blender.py lines 20 and 21. model_fusion_a and model_fusion_b from voice_blender.py take user-supplied input (e.g. a path to a model) and pass that value to the run_model_blender_script and later to model_blender function, which loads these two models with torch.load in model_blender.py (on lines 20-21 in 3.2.8-bugfix), which is vulnerable to unsafe deserialization. The issue can lead to remote code execution. A patch is available on the main` branch of the Applio repository.

Affected products

Applio/Appliollm-fuzzy
Range: <=3.2.8-bugfix
IAHispano/Appliov5
Range: <= 3.2.8-bugfix

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/IAHispano/Applio/blob/29b4a00e4be209f9aac51cd9ccffcc632dfb2973/rvc/train/process/model_blender.pymitrex_refsource_MISC
github.com/IAHispano/Applio/blob/29b4a00e4be209f9aac51cd9ccffcc632dfb2973/tabs/voice_blender/voice_blender.pymitrex_refsource_MISC
github.com/IAHispano/Applio/commit/11d139508d615a6db4d48b76634a443c66170ddamitrex_refsource_MISC
securitylab.github.com/advisories/GHSL-2024-341_GHSL-2024-353_Applio/mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.008
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000