CVE-2025-43849 is a high-severity vulnerability affecting the Retrieval-based-Voice-Conversion-WebUI (RVC-Project) voice changing framework, specifically versions 2.2.231006 and earlier. The vulnerability arises from unsafe deserialization of untrusted data, classified under CWE-502. The issue is located in the process_ckpt.py script, where user-controlled inputs, namely the variables ckpt_a and cpkt_b, are passed to the merge function. This function uses torch.load to load model files from paths specified by these variables. Since torch.load performs deserialization, if an attacker can supply a maliciously crafted model file or path, it can lead to arbitrary code execution on the host system without requiring authentication or user interaction. The vulnerability is exploitable remotely over the network with low attack complexity, as no privileges or user interaction are needed. The CVSS 4.0 score of 8.9 reflects the critical impact on confidentiality, integrity, and availability, with high exploitability. As of the publication date, no patches or mitigations have been released, increasing the risk for users of affected versions. This vulnerability is particularly dangerous because voice conversion frameworks like RVC-Project are often used in multimedia, telecommunication, or content creation environments, where compromise could lead to unauthorized access, data exfiltration, or deployment of further malware.

For European organizations, the impact could be significant, especially for those involved in media production, telecommunications, or AI research using the RVC-Project framework. Successful exploitation could allow attackers to execute arbitrary code remotely, potentially leading to full system compromise, data breaches, or disruption of services. Confidentiality could be severely impacted if attackers gain access to sensitive voice data or internal models. Integrity and availability could also be compromised, affecting business continuity and trust in voice-based applications. Given the lack of patches, organizations using affected versions are at heightened risk. Additionally, the ability to execute code remotely without authentication makes this vulnerability attractive for attackers aiming to establish footholds in networks or pivot to other critical systems. The threat could also extend to cloud environments where RVC-Project is deployed, amplifying the potential scale of impact.

Organizations should immediately audit their environments to identify any deployments of Retrieval-based-Voice-Conversion-WebUI version 2.2.231006 or earlier. Until patches are available, it is critical to restrict access to the application, ideally isolating it within segmented network zones with strict access controls. Input validation should be enhanced to prevent untrusted user input from reaching the torch.load function. If possible, disable or replace the use of torch.load for loading models with safer alternatives that do not perform arbitrary deserialization. Monitoring and logging should be increased around the usage of the merge function and model loading operations to detect suspicious activity. Employ application-layer firewalls or runtime application self-protection (RASP) solutions to detect and block exploitation attempts. Organizations should also prepare incident response plans specific to this vulnerability and stay alert for any released patches or updates from the RVC-Project maintainers. Finally, consider using alternative voice conversion frameworks that do not rely on unsafe deserialization until this issue is resolved.