Unrated severityNVD Advisory· Published Mar 19, 2025· Updated Mar 20, 2025

Applio allows unsafe deserialization in model_information.py

CVE-2025-27780

Description

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in model_information.py. model_name in model_information.py takes user-supplied input (e.g. a path to a model) and pass that value to the run_model_information_script and later to model_information function, which loads that model with torch.load in rvc/train/process/model_information.py (on line 16 in 3.2.8-bugfix), which is vulnerable to unsafe deserialization. The issue can lead to remote code execution. A patch is available in the main branch of the repository.

Affected products

Applio/Appliollm-fuzzy
Range: <=3.2.8-bugfix
IAHispano/Appliov5
Range: <= 3.2.8-bugfix

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/IAHispano/Applio/blob/29b4a00e4be209f9aac51cd9ccffcc632dfb2973/rvc/train/process/model_information.pymitrex_refsource_MISC
github.com/IAHispano/Applio/blob/29b4a00e4be209f9aac51cd9ccffcc632dfb2973/tabs/extra/model_information.pymitrex_refsource_MISC
github.com/IAHispano/Applio/commit/11d139508d615a6db4d48b76634a443c66170ddamitrex_refsource_MISC
securitylab.github.com/advisories/GHSL-2024-341_GHSL-2024-353_Applio/mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.011
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000