Primary

Context

Applio Unsafe Deserialization Vulnerability in Voice Conversion Tool Allowing Remote Code Execution

Vulnerability

A vulnerability allowing unsafe deserialization has been identified in Applio, a voice conversion tool, in versions through 3.2.8-bugfix. The issue resides in the 'infer.py' file, where user-supplied input is deserialized without proper validation. This vulnerability can be exploited to execute arbitrary code remotely.

Impact

Exploitation of this vulnerability allows for remote code execution on the server running Applio.

Reproduction

The vulnerability can be reproduced by uploading a malicious model file through the application's inference or TTS (text-to-speech) tabs. The 'infer.py' script will then deserialize the model file using 'torch.load', executing any embedded code.

Remediation

A fix for this vulnerability is available on the main branch of the Applio repository, but it has not yet been included in a numbered release.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.5

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.5

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Applio Unsafe Deserialization Vulnerability in Voice Conversion Tool Allowing Remote Code Execution

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating