CVE-2025-43848
📋 TL;DR
CVE-2025-43848 is an unsafe deserialization vulnerability in Retrieval-based-Voice-Conversion-WebUI that allows remote code execution. Attackers can exploit this by providing a malicious model file path, which gets deserialized via torch.load(). All users running versions 2.2.231006 and prior are affected.
💻 Affected Systems
- Retrieval-based-Voice-Conversion-WebUI
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the server, data theft, and lateral movement within the network.
Likely Case
Remote code execution leading to service disruption, data exfiltration, and installation of backdoors or malware.
If Mitigated
Limited impact with proper input validation and file path restrictions, potentially only causing denial of service.
🎯 Exploit Status
The vulnerability requires user input to a specific parameter, but exploitation is straightforward once the attack vector is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None available
Vendor Advisory: https://securitylab.github.com/advisories/GHSL-2025-012_GHSL-2025-022_Retrieval-based-Voice-Conversion-WebUI/
Restart Required: Yes
Instructions:
1. Monitor the official GitHub repository for patches. 2. When a patch is released, update to the fixed version. 3. Restart the application service.
🔧 Temporary Workarounds
Input Validation and Path Restriction
allImplement strict validation on ckpt_path0 input to only allow safe, predefined paths and prevent arbitrary file loading.
# Modify process_ckpt.py to validate ckpt_path0
# Example: if not ckpt_path0.startswith('/safe/path/'): raise ValueError('Invalid path')
Network Segmentation
linuxIsolate the vulnerable application in a restricted network segment with no internet access.
# Configure firewall rules to restrict inbound/outbound traffic
# Example: iptables -A INPUT -p tcp --dport [APP_PORT] -j DROP
🧯 If You Can't Patch
- Disable or restrict access to the vulnerable functionality that accepts ckpt_path0 input.
- Implement application-level firewall (WAF) rules to block malicious payloads targeting the vulnerable endpoint.
🔍 How to Verify
Check if Vulnerable:
Check the version in the application configuration or by examining the source code for version markers. If using version 2.2.231006 or earlier, you are vulnerable.Check Version:
grep -r 'version' config files or check the GitHub repository commit history for version tags.Verify Fix Applied:
After applying workarounds, test that the ckpt_path0 input is properly validated and cannot load arbitrary files.📡 Detection & Monitoring
Log Indicators:
- Unusual file path patterns in ckpt_path0 input
- Errors from torch.load() with unexpected file types
- Process execution from the application with suspicious arguments
Network Indicators:
- Unexpected outbound connections from the application server
- Traffic to/from the application containing serialized payloads
SIEM Query:
source="application.log" AND (ckpt_path0 CONTAINS ".." OR ckpt_path0 CONTAINS "/tmp/" OR ckpt_path0 CONTAINS "http")🔗 References
- https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer/lib/train/process_ckpt.py#L196
- https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/9f2f0559e6932c10c48642d404e7d2e771d9db43/infer-web.py#L1415
- https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/9f2f0559e6932c10c48642d404e7d2e771d9db43/infer-web.py#L1431
- https://securitylab.github.com/advisories/GHSL-2025-012_GHSL-2025-022_Retrieval-based-Voice-Conversion-WebUI/
