CVE-2025-49841
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-07-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rvc-boss | gpt-sovits-webui | to 20250228v3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unsafe deserialization issue in GPT-SoVITS-WebUI versions 20250228v3 and prior. Specifically, user input is passed to a function that loads a model using torch.load without proper validation, which can lead to execution of malicious code during the deserialization process.
How can this vulnerability impact me? :
An attacker could exploit this vulnerability to execute arbitrary code on the system running GPT-SoVITS-WebUI, potentially leading to full system compromise, data theft, or disruption of service.
What immediate steps should I take to mitigate this vulnerability?
Since no patched versions are available at the time of publication, immediate mitigation steps include avoiding the use of untrusted user input for the SoVITS_dropdown variable or the load_sovits_new function in process_ckpt.py. Restrict access to the application to trusted users only and monitor for any suspicious activity related to model loading. Consider isolating the environment running GPT-SoVITS-WebUI to limit potential impact.