CVE-2025-49835
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-07-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rvc-boss | gpt-sovits-webui | to 20250228v3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection flaw in GPT-SoVITS-WebUI versions 20250228v3 and earlier. The webUI's open_asr function takes user input from variables like asr_inp_dir and concatenates it into a system command that is executed on the server. Because the input is not properly sanitized, an attacker can inject arbitrary commands, leading to arbitrary command execution on the server.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary commands on the server running GPT-SoVITS-WebUI. This can lead to unauthorized access, data theft, data modification, service disruption, or complete system compromise depending on the attacker's intent and the server environment.
What immediate steps should I take to mitigate this vulnerability?
Since no patched versions are available at the time of publication, immediate mitigation steps include restricting access to the vulnerable GPT-SoVITS-WebUI service, especially limiting user input to the open_asr function, and monitoring or disabling the affected functionality if possible to prevent exploitation of the command injection vulnerability.