- Description
- Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckpt_path1 variable takes user input (e.g. a path to a model) and passes it to the show_info function in process_ckpt.py, which uses it to load the model on that path with torch.load, which can lead to unsafe deserialization and remote code execution. As of time of publication, no known patches exist.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 8.9
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
- security-advisories@github.com
- CWE-502
- Hype score
- Not currently trending
🚨 CVE-2025-43846 🔴 HIGH (8.9) 🏢 RVC-Project - Retrieval-based-Voice-Conversion-WebUI 🏗️ <= 2.2.231006 🔗 https://t.co/KaJuP86HaX 🔗 https://t.co/wtVx3fwLDQ 🔗 https://t.co/hIGM7T6gO3 🔗 https://t.co/DjsXi971ny #CyberCron #VulnAlert #InfoSec https://t.co/3
@cybercronai
7 May 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-43846 Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckpt_p… https://t.co/yfy0qTBIk7
@CVEnew
5 May 2025
239 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-43846: HIGH] Voice Conversion WebUI based on VITS is exposed to cyber risks with versions 2.2.231006 and earlier. User-input for model paths in the show_info function can cause unsafe deserializati...#cve,CVE-2025-43846,#cybersecurity https://t.co/bHD3oIVmwP https://t.c
@CveFindCom
5 May 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes