CVE-2025-27779

Name of the Vulnerable Software and Affected Versions Applio versions 3.2.8-bugfix and prior

Description Applio is a voice conversion tool vulnerable to unsafe deserialization in model blender.py lines 20 and 21. The functions model fusion a and model fusion b from voice blender.py accept user-supplied input, such as a model path, and pass this value to the run model blender script function, which then passes it to the model blender function. This function uses torch.load in model blender.py (lines 20-21) to load models, creating a vulnerability to unsafe deserialization. This issue can lead to remote code execution.

Recommendations Applio versions prior to 3.2.8-bugfix should be updated to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the model fusion a and model fusion b functions in voice blender.py to minimize the risk of exploitation.