Unsafe Deserialization Vulnerability in GPT-SoVITS-WebUI by RVC-Boss
CVE-2025-49840

8.9HIGH

Key Information:

Vendor: Rvc-boss
Status: Gpt-sovits
Vendor: CVE Published:; 15 July 2025

What is CVE-2025-49840?

The GPT-SoVITS-WebUI, a tool for voice conversion and text-to-speech, is susceptible to an unsafe deserialization vulnerability in the inference_webui.py file. Specifically, the GPT_dropdown variable processes user input and forwards it to the change_gpt_weights function. Within this function, the user-supplied input, termed gpt_path, is leveraged to load a model using the torch.load method, facilitating the potential for unsafe deserialization. As of now, there are no known patches available to mitigate this vulnerability.

Affected Version(s)

GPT-SoVITS <= 20250228v3

References

https://securitylab.github.com/advisories/GHSL-2025-049_G...

x_refsource_CONFIRM

https://github.com/RVC-Boss/GPT-SoVITS/blob/165882d64f474...

x_refsource_MISC

https://github.com/RVC-Boss/GPT-SoVITS/blob/165882d64f474...

x_refsource_MISC

CVSS V4

Score:

8.9

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 15, 2025
Vulnerability Reserved
Jun 11, 2025

Rvc-boss

What is CVE-2025-49840?

Affected Version(s)

References

CVSS V4

Timeline