CVE-2025-43846

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-43846
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43846.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-43846
Published
2025-05-05T17:16:55.957Z
Modified
2026-04-02T12:48:26.039041Z
Severity
  • 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
GHSL-2025-016_Retrieval-based-Voice-Conversion-WebUI
Details

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckptpath1 variable takes user input (e.g. a path to a model) and passes it to the showinfo function in process_ckpt.py, which uses it to load the model on that path with torch.load, which can lead to unsafe deserialization and remote code execution. As of time of publication, no known patches exist.

Database specific 
{
    "cwe_ids": [
        "CWE-502"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/43xxx/CVE-2025-43846.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/rvc-project/retrieval-based-voice-conversion-webui

Affected ranges

Type
GIT
Repo
https://github.com/rvc-project/retrieval-based-voice-conversion-webui
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
9f2f0559e6932c10c48642d404e7d2e771d9db43
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.2.231006"
        }
    ]
}

Affected versions

1.*
1.0.230410
1.1.230416
1.2.230428
2.*
2.0.230528
2.0.230618
2.1.230814
2.2.231006

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43846.json"