CVE-2025-49833
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-07-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rvc-boss | gpt-sovits-webui | to 20250228v3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection in GPT-SoVITS-WebUI versions 20250228v3 and prior. The webui.py open_slice function takes user input from slice_opt_root and slice-inp-path parameters, concatenates this input into a command, and executes it on the server. This allows an attacker to execute arbitrary commands on the server.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can execute arbitrary commands on the server hosting GPT-SoVITS-WebUI. This can lead to unauthorized access, data theft, data modification, service disruption, or complete system compromise.
What immediate steps should I take to mitigate this vulnerability?
Since no patched versions are available at the time of publication, immediate mitigation steps include restricting access to the vulnerable GPT-SoVITS-WebUI service, especially limiting user input to the open_slice function parameters (slice_opt_root and slice-inp-path), and monitoring or disabling the service until a patch is released to prevent arbitrary command execution.