CVE-2025-43843
CRITICALretrieval-based-voice-conversion-webui < 2.2.231006 - OS Command Injection via extract_f0_feature Function
Title source: llmDescription
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, np7 and f0method8 take user input and pass it into the extract_f0_feature function, which concatenates them into a command that is run on the server. This can lead to arbitrary command execution. As of time of publication, no known patches exist.
References (7)
Core 7
Core References
Vendor Advisory x_refsource_confirm
https://securitylab.github.com/advisories/GHSL-2025-012_GHSL-2025-022_Retrieval-based-Voice-Conversion-WebUI/
Product x_refsource_misc
https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L1276-L1289
Product x_refsource_misc
https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L265-L274
Product x_refsource_misc
https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L276-L278
Product x_refsource_misc
https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L307-L309
Scores
CVSS v3
9.8
EPSS
0.0226
EPSS Percentile
80.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-77
Status
published
Products (1)
rvc-project/retrieval-based-voice-conversion-webui
< 2.2.231006
Published
May 05, 2025
Tracked Since
Feb 18, 2026