CVE-2025-49838
📋 TL;DR
This vulnerability allows remote code execution through unsafe deserialization in GPT-SoVITS-WebUI. Attackers can exploit this by providing malicious model files that execute arbitrary code when loaded via torch.load. All users running vulnerable versions of GPT-SoVITS-WebUI are affected.
💻 Affected Systems
- GPT-SoVITS-WebUI
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the server, allowing data theft, lateral movement, and persistent backdoor installation.
Likely Case
Remote code execution leading to service disruption, data exfiltration, or cryptocurrency mining malware deployment.
If Mitigated
Limited impact with proper network segmentation and minimal privileges, potentially only affecting the application service.
🎯 Exploit Status
The vulnerability is straightforward to exploit by crafting malicious .pth files. No authentication is required to trigger the vulnerable code path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None available
Vendor Advisory: https://securitylab.github.com/advisories/GHSL-2025-049_GHSL-2025-053_RVC-Boss_GPT-SoVITS/
Restart Required: Yes
Instructions:
1. Monitor the official GitHub repository for patches. 2. When available, update to the patched version. 3. Restart the application service.
🔧 Temporary Workarounds
Input Validation and Sanitization
allAdd validation to reject user-controlled model paths or restrict to safe directories
# Modify vr.py to validate model_path input
# Example: restrict to specific safe directory
import os
safe_dir = '/safe/models/'
if not model_path.startswith(safe_dir):
raise ValueError('Invalid model path')
Network Isolation
linuxRestrict network access to the WebUI interface
# Linux firewall example
sudo iptables -A INPUT -p tcp --dport [WEBUI_PORT] -s [TRUSTED_IP] -j ACCEPT
sudo iptables -A INPUT -p tcp --dport [WEBUI_PORT] -j DROP
🧯 If You Can't Patch
- Disable or remove the vulnerable vr.py module if not essential for functionality
- Run the application in a highly restricted container or sandbox with minimal privileges
🔍 How to Verify
Check if Vulnerable:
Check if your GPT-SoVITS-WebUI version is 20250228v3 or earlier by examining version files or installation dateCheck Version:
grep -r 'version' ./*.py ./*.md ./*.txt 2>/dev/null | grep -i '20250228v3\|version'Verify Fix Applied:
When patch becomes available, verify the updated version number and test that malicious .pth files are rejected📡 Detection & Monitoring
Log Indicators:
- Unusual model file load attempts
- Python tracebacks mentioning torch.load failures
- Process spawning from the WebUI service
Network Indicators:
- Unexpected outbound connections from WebUI server
- Large data exfiltration from model directories
SIEM Query:
process_name:"python" AND (process_args:"torch.load" OR process_args:"uvr.py") AND NOT user:trusted_user🔗 References
- https://github.com/RVC-Boss/GPT-SoVITS/blob/165882d64f474b3563fa91adc1a679436ae9c3b8/tools/uvr5/vr.py#L216
- https://github.com/RVC-Boss/GPT-SoVITS/blob/165882d64f474b3563fa91adc1a679436ae9c3b8/tools/uvr5/webui.py#L157
- https://github.com/RVC-Boss/GPT-SoVITS/blob/165882d64f474b3563fa91adc1a679436ae9c3b8/tools/uvr5/webui.py#L192-L205
- https://github.com/RVC-Boss/GPT-SoVITS/blob/165882d64f474b3563fa91adc1a679436ae9c3b8/tools/uvr5/webui.py#L64-L70
- https://securitylab.github.com/advisories/GHSL-2025-049_GHSL-2025-053_RVC-Boss_GPT-SoVITS/
