CVE-2025-27781

Name of the Vulnerable Software and Affected Versions Applio versions 3.2.8-bugfix and prior

Description Applio is a voice conversion tool. The issue concerns unsafe deserialization in the tool, specifically in the inference.py file. The model file variable in both inference.py and tts.py takes user-supplied input, which is then passed to the change choices and later to the get speakers id function. This function loads the model using torch.load, which is vulnerable to unsafe deserialization, potentially leading to remote code execution.

Recommendations For versions 3.2.8-bugfix and prior, update to a version that includes the patch available on the main branch of the repository. As a temporary workaround, consider restricting the use of the model file variable in inference.py and tts.py to minimize the risk of exploitation. Additionally, avoid using the torch.load function with untrusted input until the issue is resolved.