CVE-2025-43847 is a high-severity vulnerability affecting the Retrieval-based-Voice-Conversion-WebUI (RVC-Project), a voice changing framework based on VITS technology. The vulnerability arises from unsafe deserialization of untrusted data in versions 2.2.231006 and earlier. Specifically, the variable ckpt_path2 accepts user input, such as a path to a model file, which is then passed to the extract_small_model function in the process_ckpt.py script. This function uses torch.load to load the model from the specified path. Since torch.load performs deserialization, if an attacker can control the input path and supply a maliciously crafted model file, they can trigger unsafe deserialization. This can lead to remote code execution (RCE) without requiring authentication or user interaction. The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data), which is a common vector for code execution attacks due to the ability to execute arbitrary code during object deserialization. No patches or fixes are currently available at the time of publication, increasing the risk for users of affected versions. The CVSS 4.0 score of 8.9 reflects the critical nature of the vulnerability, with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are reported in the wild yet, the ease of exploitation and severity suggest that attackers could develop exploits rapidly.

For European organizations using the Retrieval-based-Voice-Conversion-WebUI, this vulnerability poses a significant risk. Successful exploitation could allow attackers to execute arbitrary code remotely, potentially leading to full system compromise. This could result in data breaches, unauthorized access to sensitive voice data or models, disruption of voice conversion services, and lateral movement within networks. Organizations relying on voice conversion for customer interaction, accessibility, or multimedia production could face operational downtime and reputational damage. Since the vulnerability does not require authentication or user interaction, exposed services are at high risk. Additionally, if the compromised systems are integrated into larger communication or AI pipelines, the impact could cascade, affecting confidentiality and integrity of broader systems. The lack of available patches means organizations must rely on immediate mitigations to reduce exposure. The threat is particularly relevant for sectors with high adoption of AI voice technologies, including media, telecommunications, and research institutions across Europe.

Given the absence of official patches, European organizations should implement the following specific mitigations: 1) Restrict access to the Retrieval-based-Voice-Conversion-WebUI service by network segmentation and firewall rules to limit exposure to trusted users and internal networks only. 2) Implement strict input validation and sanitization on the ckpt_path2 parameter to prevent attackers from supplying arbitrary file paths or malicious model files. 3) Monitor and audit all model loading activities and file accesses related to torch.load to detect anomalous or unauthorized usage. 4) Consider disabling or sandboxing the torch.load functionality if feasible, or replacing it with safer deserialization methods that do not execute arbitrary code. 5) Employ application-layer firewalls or intrusion detection systems with signatures targeting suspicious deserialization patterns. 6) Maintain up-to-date backups and incident response plans to recover quickly in case of compromise. 7) Engage with the RVC-Project community and monitor for forthcoming patches or updates to apply them promptly. 8) If possible, isolate the voice conversion environment in containerized or virtualized environments to limit the blast radius of potential exploitation.