CVE-2025-43843 HIGH

CVE-2025-43843: GHSL-2025-013_Retrieval-based-Voice-Conversion-WebUI

Vendor Rvc-Project
Product Retrieval-based-Voice-Conversion-WebUI
Weakness CWE-77
Published May 5, 2025
Last update May 5, 2025

CVSS base score

8.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, np7 and f0method8 take user input and pass it into the extract_f0_feature function, which concatenates them into a command that is run on the server. This can lead to arbitrary command execution. As of time of publication, no known patches exist.

Key dates

02Disclosure timeline

May 5, 2025 CVE published
May 5, 2025 Record updated