CVE-2025-43850

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-43850
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43850.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-43850
Published
2025-05-05T18:20:57.088Z
Modified
2026-04-02T12:48:25.959348Z
Severity
  • 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
GHSL-2025-020_Retrieval-based-Voice-Conversion-WebUI
Details

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckptdir variable takes user input (e.g. a path to a model) and passes it to the changeinfo function in export.py, which uses it to load the model on that path with torch.load, which can lead to unsafe deserialization and remote code execution. As of time of publication, no known patches exist.

Database specific 
{
    "cwe_ids": [
        "CWE-502"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/43xxx/CVE-2025-43850.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/rvc-project/retrieval-based-voice-conversion-webui

Affected ranges

Type
GIT
Repo
https://github.com/rvc-project/retrieval-based-voice-conversion-webui
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
9f2f0559e6932c10c48642d404e7d2e771d9db43
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.2.231006"
        }
    ]
}

Affected versions

1.*
1.0.230410
1.1.230416
1.2.230428
2.*
2.0.230528
2.0.230618
2.1.230814
2.2.231006

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43850.json"