{"data":{"id":"19b89aa0-489f-4d7e-9840-b6406beef2f2","title":"CVE-2025-27781: Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in inference","summary":"Applio, a voice conversion tool, has a vulnerability in versions 3.2.8-bugfix and earlier where it unsafely deserializes (converts untrusted data back into code objects) user-supplied model file paths using torch.load, which can allow attackers to run arbitrary code on the system. The vulnerability exists in the inference.py and tts.py files, where user input is passed directly to functions that load models without proper validation.","solution":"A patch is available on the `main` branch of the repository.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-27781","publishedAt":"2025-03-19T21:15:40.117Z","cveId":"CVE-2025-27781","cweIds":["CWE-502"],"cvssScore":"9.8","cvssSeverity":"critical","severity":"critical","attackType":["model_theft"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["Applio"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.05145,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-586"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}