CVE-2025-49839

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-49839

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49839.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-49839

Published

2025-07-15T20:40:18.251Z

Modified

2026-04-02T12:51:48.779675Z

Severity

8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

GHSL-2025-051: GPT-SoVITS Deserialization of Untrusted Data vulnerability

Details

GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in bsroformer.py. The modelchoose variable takes user input (e.g. a path to a model) and passes it to the uvr function. In uvr, a new instance of RoformerLoader class is created with the modelpath attribute containing the aformentioned user input (here called locally modelname). Note that in this step the .ckpt extension is added to the path. In the RoformerLoader class, the user input, here called modelpath, is used to load the model on that path with torch.load, which can lead to unsafe deserialization. At time of publication, no known patched versions are available.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49839.json",
    "cwe_ids": [
        "CWE-502"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/rvc-boss/gpt-sovits

Affected ranges

Type

GIT

Repo

https://github.com/rvc-boss/gpt-sovits

Events

Introduced

Last affected

4fd57b0ea776d396f202e13be180b4c02e4dd957

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "20250228v3"
        }
    ]
}

Affected versions

Other

20240821v2

20250228v3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49839.json"