CVE-2025-49838
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-07-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rvc-boss | gpt-sovits-webui | to 20250228v3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unsafe deserialization issue in GPT-SoVITS-WebUI versions 20250228v3 and earlier. The application takes user input for a model path, appends a .pth extension, and then loads the model using torch.load without proper validation. This unsafe deserialization can allow an attacker to execute arbitrary code or cause other malicious effects by crafting a malicious model file.
How can this vulnerability impact me? :
The vulnerability can lead to remote code execution or other malicious actions because the application loads user-supplied data without validation. An attacker could exploit this to run arbitrary code on the system running GPT-SoVITS-WebUI, potentially compromising the system's integrity, confidentiality, and availability.
What immediate steps should I take to mitigate this vulnerability?
Since no patched versions are available at the time of publication, immediate mitigation steps include avoiding the use of untrusted user input for the model_choose variable or the model_path attribute in the AudioPreDeEcho class, and refraining from loading models from untrusted sources to prevent unsafe deserialization via torch.load.