CVE-2025-49833 HIGH

CVE-2025-49833: GHSL-2025-045: GPT-SoVITS Command Injection vulnerability

Vendor Rvc-Boss
Product GPT-SoVITS
Weakness CWE-77
Published July 15, 2025
Last update July 16, 2025

CVSS base score

8.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in the webui.py open_slice function. slice_opt_root and slice-inp-path takes user input, which is passed to the open_slice function, which concatenates the user input into a command and runs it on the server, leading to arbitrary command execution. At time of publication, no known patched versions are available.

Key dates

02Disclosure timeline

July 15, 2025 CVE published
July 16, 2025 Record updated