CVE-2025-49840
- Source
- https://cve.org/CVERecord?id=CVE-2025-49840
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49840.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-49840
- Published
- 2025-07-15T20:42:09.931Z
- Modified
- 2026-04-02T12:51:43.250186Z
- Severity
-
- 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- GHSL-2025-052: GPT-SoVITS Deserialization of Untrusted Data vulnerability
- Details
-
GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in inferencewebui.py. The GPTdropdown variable takes user input and passes it to the changegptweights function. In changegptweights, the user input, here gpt_path is used to load a model with torch.load, leading to unsafe deserialization. At time of publication, no known patched versions are available.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-502" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49840.json" }- References
-
- https://github.com/RVC-Boss/GPT-SoVITS/blob/165882d64f474b3563fa91adc1a679436ae9c3b8/GPT_SoVITS/inference_webui.py#L310
- https://github.com/RVC-Boss/GPT-SoVITS/blob/165882d64f474b3563fa91adc1a679436ae9c3b8/GPT_SoVITS/inference_webui.py#L872
- https://github.com/RVC-Boss/GPT-SoVITS/blob/165882d64f474b3563fa91adc1a679436ae9c3b8/GPT_SoVITS/inference_webui.py#L927
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49840.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-49840
- https://securitylab.github.com/advisories/GHSL-2025-049_GHSL-2025-053_RVC-Boss_GPT-SoVITS/