CVE-2025-27781 Overview
CVE-2025-27781 is an insecure deserialization vulnerability affecting Applio, an open-source voice conversion tool. The vulnerability exists in the inference.py and tts.py components where user-supplied model file paths are processed through torch.load without proper safety restrictions, enabling arbitrary code execution through malicious pickle payloads.
Critical Impact
Attackers can achieve remote code execution by supplying a maliciously crafted PyTorch model file, potentially leading to complete system compromise on servers running vulnerable Applio instances.
Affected Products
- Applio versions 3.2.8-bugfix and prior
- tabs/inference/inference.py component
- tabs/tts/tts.py component
Discovery Timeline
- 2025-03-19 - CVE-2025-27781 published to NVD
- 2025-08-01 - Last updated in NVD database
Technical Details for CVE-2025-27781
Vulnerability Analysis
This vulnerability stems from the inherent insecurity of Python's pickle serialization format when used with PyTorch's torch.load function. When Applio processes user-supplied model file paths, these paths flow through the change_choices function and subsequently into get_speakers_id, where the model is loaded using torch.load at line 326 in the 3.2.8-bugfix version. Because torch.load internally uses pickle deserialization by default, an attacker can craft a malicious model file containing arbitrary Python code that executes upon loading.
The attack surface is network-accessible, requiring no authentication or user interaction. An attacker merely needs to provide a path to a malicious model file—whether uploaded directly, hosted remotely, or placed on a network share accessible to the target system.
Root Cause
The root cause is the use of torch.load without the weights_only=True parameter. By default, torch.load deserializes arbitrary Python objects using pickle, which can execute code during the unpickling process. This is a well-documented security risk in machine learning applications that accept user-supplied model files. The vulnerable code pattern allows an attacker to embed malicious __reduce__ methods in serialized objects that execute arbitrary system commands when the model is loaded.
Attack Vector
The attack leverages the network-accessible model loading functionality in Applio's inference and TTS modules. An attacker can exploit this vulnerability by:
- Crafting a malicious PyTorch model file with embedded pickle payloads
- Supplying the path to this malicious model through the model_file parameter in either inference.py or tts.py
- Triggering the get_speakers_id function which loads the model with unsafe deserialization
The following patch demonstrates the security fix applied to address this vulnerability:
def get_speakers_id(model):
if model:
try:
- model_data = torch.load(os.path.join(now_dir, model), map_location="cpu")
+ model_data = torch.load(os.path.join(now_dir, model), map_location="cpu", weights_only=True)
speakers_id = model_data.get("speakers_id")
if speakers_id:
return list(range(speakers_id))
Source: GitHub Commit
The fix adds weights_only=True to prevent arbitrary code execution during model loading:
def verify_checkpoint_shapes(checkpoint_path, model):
- checkpoint = torch.load(checkpoint_path, map_location="cpu")
+ checkpoint = torch.load(checkpoint_path, map_location="cpu", weights_only=True)
checkpoint_state_dict = checkpoint["model"]
try:
if hasattr(model, "module"):
Source: GitHub Commit
Detection Methods for CVE-2025-27781
Indicators of Compromise
- Unexpected model files appearing in Applio working directories with unusual names or timestamps
- Process spawning from Applio inference or TTS components (e.g., reverse shells, command interpreters)
- Network connections initiated from Applio processes to external or unusual IP addresses
- Anomalous file system activity such as creation of new scripts or modification of system files by the Applio process
Detection Strategies
- Monitor for torch.load calls on untrusted or user-supplied file paths in application logs
- Implement file integrity monitoring on model directories to detect unauthorized model file uploads
- Deploy endpoint detection rules to identify pickle deserialization exploitation patterns
- Use SentinelOne's behavioral AI to detect anomalous child process creation from Python-based ML applications
Monitoring Recommendations
- Enable verbose logging for Applio's inference and TTS modules to capture model loading events
- Configure network monitoring to alert on outbound connections from Applio server processes
- Implement application-level sandboxing to limit the impact of potential code execution
- Deploy runtime application self-protection (RASP) solutions to monitor deserialization operations
How to Mitigate CVE-2025-27781
Immediate Actions Required
- Update Applio to the latest version from the main branch which contains the security patch
- Audit all deployed model files for integrity and remove any untrusted or unverified models
- Restrict network access to Applio instances and implement authentication for model upload functionality
- Review application logs for signs of exploitation attempts prior to patching
Patch Information
A security patch is available on the main branch of the Applio repository. The fix involves adding the weights_only=True parameter to all torch.load calls, which restricts deserialization to tensor data only and prevents arbitrary code execution. Organizations should apply the patch by pulling the latest changes from the repository or applying commit eb21d9dd349a6ae1a28c440b30d306eafba65097. For detailed information, see the GitHub Security Advisory and the patch commit.
Workarounds
- Implement strict input validation to only allow model files from trusted, pre-approved directories
- Deploy Applio in an isolated container environment with limited system privileges and network access
- Use file system permissions to prevent modification of model directories by untrusted users
- Consider implementing model file signature verification before loading
# Example: Restrict model directory permissions
chmod 755 /path/to/applio/models
chown root:applio /path/to/applio/models
# Prevent new file creation by non-root users
chmod +t /path/to/applio/models
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
