CVE-2025-27780 Overview
CVE-2025-27780 is an insecure deserialization vulnerability in Applio, an open-source voice conversion tool. The vulnerability exists in model_information.py where user-supplied input is passed to torch.load() without proper validation, enabling remote code execution through maliciously crafted model files.
Critical Impact
Remote attackers can achieve arbitrary code execution by supplying a malicious model file that exploits the unsafe deserialization behavior of PyTorch's torch.load() function.
Affected Products
- Applio versions 3.2.8-bugfix and prior
- Applio installations using the vulnerable model_information.py module
- Systems processing untrusted model files through the Applio voice conversion pipeline
Discovery Timeline
- 2025-03-19 - CVE-2025-27780 published to NVD
- 2025-08-01 - Last updated in NVD database
Technical Details for CVE-2025-27780
Vulnerability Analysis
The vulnerability stems from unsafe usage of PyTorch's torch.load() function in Applio's model information processing workflow. When a user provides a path to a model file through the model_name parameter, this value flows through run_model_information_script and ultimately reaches the model_information function in rvc/train/process/model_information.py. At line 16, the model is loaded using torch.load() without the weights_only=True parameter, allowing arbitrary Python objects to be deserialized.
PyTorch's pickle-based serialization format can embed arbitrary Python code that executes during deserialization. An attacker can craft a malicious .pth or .pt model file containing embedded code that executes when the model is loaded, achieving remote code execution with the privileges of the Applio process.
Root Cause
The root cause is CWE-502 (Deserialization of Untrusted Data). The torch.load() function uses Python's pickle module internally, which can deserialize arbitrary Python objects including those that execute code upon instantiation. Without the weights_only=True parameter, PyTorch loads all pickled objects in the model file, including potentially malicious payloads embedded by an attacker.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Crafting a malicious model file containing a pickle payload that executes arbitrary code
- Convincing a victim to load the malicious model through Applio's model information feature
- The malicious code executes when torch.load() deserializes the model file
# Vulnerable code pattern (before patch)
weight_root (str): Path to the model weights.
"""
self.cpt = (
- torch.load(weight_root, map_location="cpu")
+ torch.load(weight_root, map_location="cpu", weights_only=True)
if os.path.isfile(weight_root)
else None
)
Source: GitHub Commit 11d1395
Detection Methods for CVE-2025-27780
Indicators of Compromise
- Unexpected process spawning from Applio or Python interpreter processes
- Suspicious network connections originating from the Applio application
- Model files from untrusted sources being loaded through the application
- Unusual file system activity following model loading operations
- Process execution chains involving torch.load() calls with unexpected child processes
Detection Strategies
- Monitor for torch.load() calls without the weights_only=True parameter in Python processes
- Implement file integrity monitoring on model directories to detect unauthorized model file additions
- Use application-level logging to track model file loading operations and their sources
- Deploy endpoint detection and response (EDR) solutions to identify post-exploitation behaviors
Monitoring Recommendations
- Enable verbose logging for the Applio application to track all model loading operations
- Implement network monitoring to detect data exfiltration or reverse shell connections
- Configure alerts for unexpected subprocess creation from Python/Applio processes
- Audit model file sources and implement allowlisting for trusted model repositories
How to Mitigate CVE-2025-27780
Immediate Actions Required
- Update Applio to the latest version from the main branch containing the security patch
- Review and remove any untrusted model files from the system
- Audit systems for signs of compromise if untrusted models were previously loaded
- Restrict model file uploads and loading to authenticated, trusted sources only
Patch Information
A patch is available in the main branch of the Applio repository. The fix adds the weights_only=True parameter to all torch.load() calls throughout the codebase, preventing arbitrary code execution through deserialization. The patch can be reviewed at GitHub Commit 11d1395. For detailed security advisory information, see the GitHub Security Lab Advisory.
Workarounds
- Only load model files from trusted, verified sources
- Implement input validation on model file paths to restrict loading to known-safe directories
- Run Applio in a sandboxed environment with restricted system access
- Apply network segmentation to limit potential lateral movement if exploitation occurs
# Secure configuration - ensure all torch.load calls include weights_only=True
ckpt = torch.load(model_path, map_location=torch.device(self.device), weights_only=True)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
