CVE-2025-43852

CRITICAL

Retrieval-based-Voice-Conversion-WebUI < 2.2.231006 - Remote Code Execution via Unsafe Model Path Deserialization

Title source: llm

Description

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The model_choose variable takes user input (e.g. a path to a model) and passes it to the uvr function in vr.py. In uvr , if model_name contains the string "DeEcho", a new instance of AudioPreDeEcho class is created with the model_path attribute containing the aforementioned user input. In the AudioPreDeEcho class, the user input is used to load the model on that path with torch.load, which can lead to unsafe deserialization and remote code execution. As of time of publication, no known patches exist.

References (4)

Core 4

Core References

Vendor Advisory x_refsource_confirm

https://securitylab.github.com/advisories/GHSL-2025-012_GHSL-2025-022_Retrieval-based-Voice-Conversion-WebUI/

Product x_refsource_misc

https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer/modules/uvr5/vr.py#L214

Product x_refsource_misc

https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/9f2f0559e6932c10c48642d404e7d2e771d9db43/infer-web.py#L1073

View Writeup ZIP pw:eip

Product x_refsource_misc

https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/9f2f0559e6932c10c48642d404e7d2e771d9db43/infer-web.py#L1098

Scores

CVSS v3 9.8

EPSS 0.0080

EPSS Percentile 51.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-502

Status published

Products (1)

rvc-project/retrieval-based-voice-conversion-webui < 2.2.231006

Published May 05, 2025

Tracked Since Feb 18, 2026