Command Injection Vulnerability in GPT-SoVITS-WebUI by RVC-Boss
CVE-2025-49834

8.9HIGH

Key Information:

Vendor: Rvc-boss
Status: Gpt-sovits
Vendor: CVE Published:; 15 July 2025

What is CVE-2025-49834?

The GPT-SoVITS-WebUI is susceptible to a command injection vulnerability in the open_denoise function within webui.py. This flaw allows an attacker to inject arbitrary commands through user inputs in the denoise_inp_dir and denoise_opt_dir parameters. Consequently, these inputs are concatenated into a command that is executed on the server. As of now, no patches have been released to mitigate this vulnerability, leaving installations vulnerable to potential exploitation.

Affected Version(s)

GPT-SoVITS <= 20250228v3

References

https://securitylab.github.com/advisories/GHSL-2025-045_G...

x_refsource_CONFIRM

https://github.com/RVC-Boss/GPT-SoVITS/blob/165882d64f474...

x_refsource_MISC

https://github.com/RVC-Boss/GPT-SoVITS/blob/165882d64f474...

x_refsource_MISC

CVSS V4

Score:

8.9

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 15, 2025
Vulnerability Reserved
Jun 11, 2025

Rvc-boss

What is CVE-2025-49834?

Affected Version(s)

References

CVSS V4

Timeline