CVE-2025-43851 in Retrieval-based-Voice-Conversion-WebUIinfo

Summary

by MITRE • 05/05/2025

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The model_choose variable takes user input (e.g. a path to a model) and passes it to the uvr function in vr.py. In uvr , a new instance of AudioPre class is created with the model_path attribute containing the aformentioned user input. In the AudioPre class, the user input, is used to load the model on that path with torch.load, which can lead to unsafe deserialization and remote code execution. As of time of publication, no known patches exist.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 08/01/2025

The vulnerability identified as CVE-2025-43851 affects the Retrieval-based-Voice-Conversion-WebUI framework version 2.2.231006 and earlier, representing a critical unsafe deserialization flaw that enables remote code execution. This vulnerability resides within the model selection mechanism of the voice conversion system, where user-provided input directly influences the application's deserialization process. The flaw manifests when the model_choose variable accepts user input containing a file path, which is subsequently passed to the uvr function in vr.py. This function creates a new instance of the AudioPre class with the user-supplied path as the model_path attribute, creating a dangerous chain of execution that bypasses normal security boundaries.

The technical exploitation occurs through the AudioPre class implementation where the user-provided path is used to load a model file using torch.load, a function inherently susceptible to unsafe deserialization attacks. When an attacker crafts a malicious model file with malicious payload embedded within it, the torch.load function executes this payload during the deserialization process, thereby granting the attacker remote code execution capabilities on the target system. This vulnerability aligns with CWE-502, which specifically addresses unsafe deserialization in software systems, and represents a classic example of how untrusted data can be leveraged to execute arbitrary code through the deserialization mechanism. The attack vector is particularly concerning as it requires no authentication or privileged access, making it a high-severity threat that can be exploited remotely.

The operational impact of this vulnerability extends beyond simple code execution to encompass complete system compromise and potential data exfiltration. An attacker who successfully exploits this vulnerability could gain full control over the voice conversion server, potentially using it as a pivot point to attack other systems within the network. The vulnerability affects systems running the affected framework version, making it particularly dangerous in environments where multiple users have access to the voice conversion interface. The lack of available patches at the time of publication exacerbates the risk, leaving affected organizations without immediate remediation options. This vulnerability maps to several ATT&CK techniques including T1059.001 for command and script interpreter and T1078.004 for valid accounts, as the exploitation could lead to persistent access and privilege escalation within the compromised environment.

Organizations affected by this vulnerability should immediately implement network segmentation to isolate voice conversion services from critical infrastructure and establish monitoring for suspicious file access patterns. The recommended mitigations include validating all user-provided paths through strict input sanitization, implementing a whitelist approach for model files, and restricting file system access permissions for the application. Additionally, organizations should consider implementing application whitelisting policies and using secure coding practices that avoid direct deserialization of untrusted data. The vulnerability demonstrates the importance of secure deserialization practices in machine learning frameworks and highlights the need for comprehensive security testing of AI/ML applications. Network administrators should deploy intrusion detection systems to monitor for potential exploitation attempts and establish incident response procedures specifically addressing unsafe deserialization attacks. Regular security assessments and vulnerability scanning should be conducted to identify similar weaknesses in other applications that may be susceptible to the same class of vulnerabilities.

Responsible

GitHub M

Reservation

04/17/2025

Disclosure

05/05/2025

Moderation

accepted

CPE

ready

EPSS

0.00806

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!