CVE-2025-49836
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-07-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rvc-boss | gpt-sovits-webui | to 20250228v3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection in the GPT-SoVITS-WebUI software, specifically in the change_label function of webui.py. The function takes user input via path_list and concatenates it into a command that is executed on the server. Because the input is not properly sanitized, an attacker can inject arbitrary commands to be executed on the server, leading to arbitrary command execution.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary commands on the server running GPT-SoVITS-WebUI without any privileges or user interaction. This can lead to full compromise of the server, including data theft, data loss, service disruption, or further attacks on the network.
What immediate steps should I take to mitigate this vulnerability?
Since no patched versions are available at the time of publication, immediate mitigation steps include restricting access to the vulnerable webUI to trusted users only, disabling or limiting the functionality that allows user input to be passed to the change_label function, and monitoring the system for any suspicious command execution attempts. Additionally, consider isolating the affected service to minimize potential impact.