Unsafe Deserialization in GPT-SoVITS-WebUI by RVC-Boss
CVE-2025-49839

8.9HIGH

Key Information:

Vendor

Rvc-boss

Status
Gpt-sovits
Vendor
CVE Published:
15 July 2025

What is CVE-2025-49839?

The GPT-SoVITS-WebUI, a voice conversion and text-to-speech application by RVC-Boss, contains a vulnerability due to unsafe deserialization in the bsroformer.py script. This issue arises when the model_choose variable accepts user input—such as a model path—and subsequently passes it to the uvr function. The input is then used to create an instance of the Roformer_Loader class, which loads the model using torch.load, facilitated by appending a .ckpt extension to the path. This process permits potential exploitation by allowing malicious models to be loaded. As of the publication date, no patched versions exist, underscoring the urgency for users to remain vigilant.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

GPT-SoVITS <= 20250228v3

References

https://securitylab.github.com/advisories/GHSL-2025-049_G...
x_refsource_CONFIRM
https://github.com/RVC-Boss/GPT-SoVITS/blob/165882d64f474...
x_refsource_MISC
https://github.com/RVC-Boss/GPT-SoVITS/blob/165882d64f474...
x_refsource_MISC

CVSS V4

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.