CVE-2025-43852 in Retrieval-based-Voice-Conversion-WebUIinfo

Summary

by MITRE • 05/05/2025

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The model_choose variable takes user input (e.g. a path to a model) and passes it to the uvr function in vr.py. In uvr , if model_name contains the string "DeEcho", a new instance of AudioPreDeEcho class is created with the model_path attribute containing the aforementioned user input. In the AudioPreDeEcho class, the user input is used to load the model on that path with torch.load, which can lead to unsafe deserialization and remote code execution. As of time of publication, no known patches exist.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 08/01/2025

The vulnerability identified as CVE-2025-43852 affects the Retrieval-based-Voice-Conversion-WebUI framework, a voice changing system built upon the VITS architecture. This particular flaw resides in versions 2.2.231006 and earlier, presenting a critical security risk through unsafe deserialization practices. The vulnerability manifests when the model_choose variable processes user-provided input, specifically paths to model files, and subsequently passes this information to the uvr function within vr.py. This architectural weakness creates a direct pathway for malicious actors to exploit the system's deserialization mechanism.

The technical exploitation occurs within the uvr function where the model_name parameter is evaluated for the presence of the string "DeEcho". When this condition is met, the system instantiates an AudioPreDeEcho class with a model_path attribute populated by the user-provided input. This design flaw represents a classic unsafe deserialization vulnerability, where user-controllable data is directly used to load model files without proper validation or sanitization. The AudioPreDeEcho class then employs torch.load to load the model from the specified path, creating an execution environment where malicious code can be loaded and executed. This process directly violates security principles by allowing arbitrary code execution through the model loading mechanism, as the torch.load function does not perform adequate input validation to prevent malicious payload injection.

The operational impact of this vulnerability extends beyond simple code execution, potentially enabling full system compromise through remote code execution capabilities. An attacker could craft malicious model files containing malicious code that would be executed when loaded by the vulnerable system, effectively allowing for remote command execution, data exfiltration, and system persistence. The absence of known patches at the time of publication creates a particularly concerning scenario for organizations relying on this framework, as they face immediate risk without remediation options. This vulnerability aligns with CWE-502, which specifically addresses unsafe deserialization in software systems, and presents a clear pathway for attackers to leverage the ATT&CK technique of Execution through the use of loaded malicious code.

Organizations utilizing this framework should implement immediate mitigations including input validation and sanitization measures to prevent user-provided paths from being directly used in model loading operations. The recommended approach involves implementing strict path validation, restricting file access to predefined directories, and employing secure deserialization practices that prevent arbitrary code loading. Additionally, network segmentation and access controls should be implemented to limit exposure of vulnerable systems, while monitoring for unusual file loading patterns or unauthorized model modifications. Given the critical nature of this vulnerability and the lack of available patches, administrators should consider disabling or isolating affected systems until proper security measures can be implemented. The vulnerability demonstrates the importance of secure coding practices in machine learning frameworks, particularly when handling user-provided data through potentially dangerous functions like torch.load that can execute arbitrary code during model loading operations.

Responsible

GitHub M

Reservation

04/17/2025

Disclosure

05/05/2025

Moderation

accepted

CPE

ready

EPSS

0.00806

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!