Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-27781

CVE-2025-27781: Applio Voice Conversion Tool RCE Flaw

CVE-2025-27781 is an unsafe deserialization vulnerability in Applio voice conversion tool affecting versions 3.2.8-bugfix and prior. Attackers can exploit torch.load to execute arbitrary code. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-27781 Overview

CVE-2025-27781 is an insecure deserialization vulnerability affecting Applio, an open-source voice conversion tool. The vulnerability exists in the inference.py and tts.py components where user-supplied model file paths are processed through torch.load without proper safety restrictions, enabling arbitrary code execution through malicious pickle payloads.

Critical Impact

Attackers can achieve remote code execution by supplying a maliciously crafted PyTorch model file, potentially leading to complete system compromise on servers running vulnerable Applio instances.

Affected Products

  • Applio versions 3.2.8-bugfix and prior
  • tabs/inference/inference.py component
  • tabs/tts/tts.py component

Discovery Timeline

  • 2025-03-19 - CVE-2025-27781 published to NVD
  • 2025-08-01 - Last updated in NVD database

Technical Details for CVE-2025-27781

Vulnerability Analysis

This vulnerability stems from the inherent insecurity of Python's pickle serialization format when used with PyTorch's torch.load function. When Applio processes user-supplied model file paths, these paths flow through the change_choices function and subsequently into get_speakers_id, where the model is loaded using torch.load at line 326 in the 3.2.8-bugfix version. Because torch.load internally uses pickle deserialization by default, an attacker can craft a malicious model file containing arbitrary Python code that executes upon loading.

The attack surface is network-accessible, requiring no authentication or user interaction. An attacker merely needs to provide a path to a malicious model file—whether uploaded directly, hosted remotely, or placed on a network share accessible to the target system.

Root Cause

The root cause is the use of torch.load without the weights_only=True parameter. By default, torch.load deserializes arbitrary Python objects using pickle, which can execute code during the unpickling process. This is a well-documented security risk in machine learning applications that accept user-supplied model files. The vulnerable code pattern allows an attacker to embed malicious __reduce__ methods in serialized objects that execute arbitrary system commands when the model is loaded.

Attack Vector

The attack leverages the network-accessible model loading functionality in Applio's inference and TTS modules. An attacker can exploit this vulnerability by:

  1. Crafting a malicious PyTorch model file with embedded pickle payloads
  2. Supplying the path to this malicious model through the model_file parameter in either inference.py or tts.py
  3. Triggering the get_speakers_id function which loads the model with unsafe deserialization

The following patch demonstrates the security fix applied to address this vulnerability:

python
def get_speakers_id(model):
    if model:
        try:
-            model_data = torch.load(os.path.join(now_dir, model), map_location="cpu")
+            model_data = torch.load(os.path.join(now_dir, model), map_location="cpu", weights_only=True)
            speakers_id = model_data.get("speakers_id")
            if speakers_id:
                return list(range(speakers_id))

Source: GitHub Commit

The fix adds weights_only=True to prevent arbitrary code execution during model loading:

python
def verify_checkpoint_shapes(checkpoint_path, model):
-    checkpoint = torch.load(checkpoint_path, map_location="cpu")
+    checkpoint = torch.load(checkpoint_path, map_location="cpu", weights_only=True)
    checkpoint_state_dict = checkpoint["model"]
    try:
        if hasattr(model, "module"):

Source: GitHub Commit

Detection Methods for CVE-2025-27781

Indicators of Compromise

  • Unexpected model files appearing in Applio working directories with unusual names or timestamps
  • Process spawning from Applio inference or TTS components (e.g., reverse shells, command interpreters)
  • Network connections initiated from Applio processes to external or unusual IP addresses
  • Anomalous file system activity such as creation of new scripts or modification of system files by the Applio process

Detection Strategies

  • Monitor for torch.load calls on untrusted or user-supplied file paths in application logs
  • Implement file integrity monitoring on model directories to detect unauthorized model file uploads
  • Deploy endpoint detection rules to identify pickle deserialization exploitation patterns
  • Use SentinelOne's behavioral AI to detect anomalous child process creation from Python-based ML applications

Monitoring Recommendations

  • Enable verbose logging for Applio's inference and TTS modules to capture model loading events
  • Configure network monitoring to alert on outbound connections from Applio server processes
  • Implement application-level sandboxing to limit the impact of potential code execution
  • Deploy runtime application self-protection (RASP) solutions to monitor deserialization operations

How to Mitigate CVE-2025-27781

Immediate Actions Required

  • Update Applio to the latest version from the main branch which contains the security patch
  • Audit all deployed model files for integrity and remove any untrusted or unverified models
  • Restrict network access to Applio instances and implement authentication for model upload functionality
  • Review application logs for signs of exploitation attempts prior to patching

Patch Information

A security patch is available on the main branch of the Applio repository. The fix involves adding the weights_only=True parameter to all torch.load calls, which restricts deserialization to tensor data only and prevents arbitrary code execution. Organizations should apply the patch by pulling the latest changes from the repository or applying commit eb21d9dd349a6ae1a28c440b30d306eafba65097. For detailed information, see the GitHub Security Advisory and the patch commit.

Workarounds

  • Implement strict input validation to only allow model files from trusted, pre-approved directories
  • Deploy Applio in an isolated container environment with limited system privileges and network access
  • Use file system permissions to prevent modification of model directories by untrusted users
  • Consider implementing model file signature verification before loading
bash
# Example: Restrict model directory permissions
chmod 755 /path/to/applio/models
chown root:applio /path/to/applio/models
# Prevent new file creation by non-root users
chmod +t /path/to/applio/models

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne