Description

GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in process_ckpt.py. The SoVITS_dropdown variable takes user input and passes it to the load_sovits_new function in process_ckpt.py. In load_sovits_new, the user input, here sovits_path is used to load a model with torch.load, leading to unsafe deserialization. At time of publication, no known patched versions are available.

INFO

Published Date :

2025-07-15T20:43:02.861Z

Last Modified :

2025-07-18T14:42:18.165Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-49841 vulnerability.

Vendors Products
Rvc-boss
  • Gpt-sovits-webui
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-49841.

URL Resource
https://github.com/RVC-Boss/GPT-SoVITS/blob/165882d64f474b3563fa91adc1a679436ae9c3b8/GPT_SoVITS/inference_webui.py#L873 cve-icon cve-icon
https://github.com/RVC-Boss/GPT-SoVITS/blob/165882d64f474b3563fa91adc1a679436ae9c3b8/GPT_SoVITS/inference_webui.py#L926 cve-icon cve-icon
https://github.com/RVC-Boss/GPT-SoVITS/blob/165882d64f474b3563fa91adc1a679436ae9c3b8/GPT_SoVITS/process_ckpt.py#L100-L106 cve-icon cve-icon
https://securitylab.github.com/advisories/GHSL-2025-049_GHSL-2025-053_RVC-Boss_GPT-SoVITS/ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact