CVE-2025-49840: CWE-502: Deserialization of Untrusted Data in RVC-Boss GPT-SoVITS
GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in inference_webui.py. The GPT_dropdown variable takes user input and passes it to the change_gpt_weights function. In change_gpt_weights, the user input, here gpt_path is used to load a model with torch.load, leading to unsafe deserialization. At time of publication, no known patched versions are available.
CVE-2025-49840: CWE-502: Deserialization of Untrusted Data in RVC-Boss GPT-SoVITS
Description
GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in inference_webui.py. The GPT_dropdown variable takes user input and passes it to the change_gpt_weights function. In change_gpt_weights, the user input, here gpt_path is used to load a model with torch.load, leading to unsafe deserialization. At time of publication, no known patched versions are available.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-06-11T14:33:57.800Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6876c198a83201eaacd0caa8
Added to database: 7/15/2025, 9:01:12 PM
Last updated: 7/15/2025, 9:01:12 PM
Views: 1
Related Threats
CVE-2025-6981: CWE-863 Incorrect Authorization in GitHub Enterprise Server
MediumCVE-2025-49841: CWE-502: Deserialization of Untrusted Data in RVC-Boss GPT-SoVITS
HighCVE-2025-30761: Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. in Oracle Corporation Oracle Java SE
MediumCVE-2025-49836: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in RVC-Boss GPT-SoVITS
HighCVE-2025-49835: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in RVC-Boss GPT-SoVITS
HighActions
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.