CVE-2025-43844

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-43844
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43844.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-43844
Published
2025-05-05T17:11:05.689Z
Modified
2026-04-02T12:48:25.958646Z
Severity
  • 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
GHSL-2025-014_Retrieval-based-Voice-Conversion-WebUI
Details

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables expdir1, among others, take user input and pass it to the clicktrain function, which concatenates them into a command that is run on the server. This can lead to arbitrary command execution. As of time of publication, no known patches exist.

Database specific 
{
    "cwe_ids": [
        "CWE-77"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/43xxx/CVE-2025-43844.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/rvc-project/retrieval-based-voice-conversion-webui

Affected ranges

Type
GIT
Repo
https://github.com/rvc-project/retrieval-based-voice-conversion-webui
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
9f2f0559e6932c10c48642d404e7d2e771d9db43
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.2.231006"
        }
    ]
}

Affected versions

1.*
1.0.230410
1.1.230416
1.2.230428
2.*
2.0.230528
2.0.230618
2.1.230814
2.2.231006

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43844.json"