CVE-2025-27778

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in `infer.py`. The issue can lead to remote code execution. As of time of publication, a fix is available on the `main` branch of the Applio repository but not attached to a numbered release.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/IAHispano/Applio/blob/29b4a00e4be209f9aac51cd9ccffcc632dfb2973/rvc/infer/infer.py#L464	Product
https://github.com/IAHispano/Applio/blob/29b4a00e4be209f9aac51cd9ccffcc632dfb2973/tabs/inference/inference.py#L338-L345	Product
https://github.com/IAHispano/Applio/blob/29b4a00e4be209f9aac51cd9ccffcc632dfb2973/tabs/tts/tts.py#L50-L57	Product
https://github.com/IAHispano/Applio/commit/16019befdcbbff0b264a5e30785feef4b70df8d9	Patch
https://github.com/IAHispano/Applio/commit/eb21d9dd349a6ae1a28c440b30d306eafba65097	Patch
https://securitylab.github.com/advisories/GHSL-2024-341_GHSL-2024-353_Applio/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:applio:applio:*:*:*:*:*:*:*:*

History

01 Aug 2025, 00:41

Type	Values Removed	Values Added
References	~~() https://github.com/IAHispano/Applio/blob/29b4a00e4be209f9aac51cd9ccffcc632dfb2973/rvc/infer/infer.py#L464 -~~	() https://github.com/IAHispano/Applio/blob/29b4a00e4be209f9aac51cd9ccffcc632dfb2973/rvc/infer/infer.py#L464 - Product
References	~~() https://github.com/IAHispano/Applio/blob/29b4a00e4be209f9aac51cd9ccffcc632dfb2973/tabs/inference/inference.py#L338-L345 -~~	() https://github.com/IAHispano/Applio/blob/29b4a00e4be209f9aac51cd9ccffcc632dfb2973/tabs/inference/inference.py#L338-L345 - Product
References	~~() https://github.com/IAHispano/Applio/blob/29b4a00e4be209f9aac51cd9ccffcc632dfb2973/tabs/tts/tts.py#L50-L57 -~~	() https://github.com/IAHispano/Applio/blob/29b4a00e4be209f9aac51cd9ccffcc632dfb2973/tabs/tts/tts.py#L50-L57 - Product
References	~~() https://github.com/IAHispano/Applio/commit/16019befdcbbff0b264a5e30785feef4b70df8d9 -~~	() https://github.com/IAHispano/Applio/commit/16019befdcbbff0b264a5e30785feef4b70df8d9 - Patch
References	~~() https://github.com/IAHispano/Applio/commit/eb21d9dd349a6ae1a28c440b30d306eafba65097 -~~	() https://github.com/IAHispano/Applio/commit/eb21d9dd349a6ae1a28c440b30d306eafba65097 - Patch
References	~~() https://securitylab.github.com/advisories/GHSL-2024-341_GHSL-2024-353_Applio/ -~~	() https://securitylab.github.com/advisories/GHSL-2024-341_GHSL-2024-353_Applio/ - Vendor Advisory
Summary		(es) Applio es una herramienta de conversión de voz. Las versiones 3.2.8 (corrección de errores) y anteriores son vulnerables a la deserialización insegura en `infer.py`. Este problema puede provocar la ejecución remota de código. Al momento de la publicación, había una corrección disponible en la rama `main` del repositorio de Applio, pero no estaba asociada a una versión numerada.
CPE		cpe:2.3:a:applio:applio::::::::
First Time		Applio applio Applio
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

19 Mar 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-19 21:15

Updated : 2025-08-01 00:41

NVD link : CVE-2025-27778

Mitre link : CVE-2025-27778

CVE.ORG link : CVE-2025-27778

JSON object : View

Products Affected

applio

applio

CWE

CWE-502

Deserialization of Untrusted Data

9.8 /10