CVE-2025-49841
- Source
- https://cve.org/CVERecord?id=CVE-2025-49841
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49841.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-49841
- Published
- 2025-07-15T20:43:02.861Z
- Modified
- 2026-04-02T12:51:50.185115Z
- Severity
-
- 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- GHSL-2025-053: GPT-SoVITS Deserialization of Untrusted Data vulnerability
- Details
-
GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in processckpt.py. The SoVITSdropdown variable takes user input and passes it to the loadsovitsnew function in processckpt.py. In loadsovitsnew, the user input, here sovitspath is used to load a model with torch.load, leading to unsafe deserialization. At time of publication, no known patched versions are available.
- Database specific
{ "cwe_ids": [ "CWE-502" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49841.json", "cna_assigner": "GitHub_M" }- References
-
- https://github.com/RVC-Boss/GPT-SoVITS/blob/165882d64f474b3563fa91adc1a679436ae9c3b8/GPT_SoVITS/inference_webui.py#L873
- https://github.com/RVC-Boss/GPT-SoVITS/blob/165882d64f474b3563fa91adc1a679436ae9c3b8/GPT_SoVITS/inference_webui.py#L926
- https://github.com/RVC-Boss/GPT-SoVITS/blob/165882d64f474b3563fa91adc1a679436ae9c3b8/GPT_SoVITS/process_ckpt.py#L100-L106
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49841.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-49841
- https://securitylab.github.com/advisories/GHSL-2025-049_GHSL-2025-053_RVC-Boss_GPT-SoVITS/