CVE-2025-27778
Published: 19 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-27778 is an unsafe deserialization vulnerability (CWE-502) affecting Applio, an open-source voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable due to improper handling in the `infer.py` module, which can lead to remote code execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, and no requirements for privileges or user interaction.
Remote, unauthenticated attackers can exploit this vulnerability over the network by providing malicious input that triggers deserialization in components such as `infer.py`, `inference.py`, and `tts.py`. Successful exploitation allows arbitrary code execution on the target system, resulting in high impacts to confidentiality, integrity, and availability.
Mitigation is available via commits on the main branch of the Applio GitHub repository (IAHispano/Applio), including 16019befdcbbff0b264a5e30785feef4b70df8d9 and eb21d9dd349a6ae1a28c440b30d306eafba65097, though no numbered release includes the fix as of publication on 2025-03-19. Security practitioners should advise users to update from the main branch and review the referenced code locations for unsafe deserialization patterns.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unsafe deserialization vulnerability enabling remote unauthenticated RCE via malicious input to network-accessible components (infer.py etc.) in the application.