CVE-2025-49839
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-07-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rvc-boss | gpt-sovits-webui | to 20250228v3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unsafe deserialization issue in GPT-SoVITS-WebUI versions 20250228v3 and earlier. It occurs because user input specifying a model path is passed to a function that loads a model file using torch.load without proper validation. This allows potentially malicious input to be deserialized unsafely, which can lead to execution of arbitrary code or other security risks.
How can this vulnerability impact me? :
The unsafe deserialization vulnerability can allow an attacker to execute arbitrary code on the system running GPT-SoVITS-WebUI by supplying crafted input that is deserialized unsafely. This can lead to system compromise, data theft, or disruption of service.
What immediate steps should I take to mitigate this vulnerability?
Since no patched versions are available at the time of publication, immediate mitigation steps include avoiding use of untrusted input for the model_choose variable or the uvr function, restricting access to the GPT-SoVITS-WebUI service to trusted users only, and monitoring for any suspicious activity related to model loading. Consider isolating the environment where the application runs to limit potential impact of unsafe deserialization.