CVE-2025-49840
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-07-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rvc-boss | gpt-sovits-webui | to 20250228v3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unsafe deserialization issue in GPT-SoVITS-WebUI versions 20250228v3 and prior. The application takes user input through the GPT_dropdown variable and passes it to the change_gpt_weights function. Inside this function, the user input (gpt_path) is used with torch.load to load a model. Because torch.load deserializes the input without proper validation, an attacker can exploit this to execute arbitrary code or cause other malicious effects.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary code on the system running GPT-SoVITS-WebUI without any user interaction or privileges. This can lead to full system compromise, data theft, or disruption of service.
What immediate steps should I take to mitigate this vulnerability?
Since no patched versions are available at the time of publication, immediate mitigation steps include restricting or sanitizing user input to the GPT_dropdown variable to prevent unsafe deserialization, disabling or limiting the use of the change_gpt_weights function if possible, and monitoring for any suspicious activity related to model loading via torch.load. Additionally, consider isolating the affected service to reduce potential impact.