CVE-2025-43847 in Retrieval-based-Voice-Conversion-WebUIinformazioni

Riassunto

di MITRE • 05/05/2025

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckpt_path2 variable takes user input (e.g. a path to a model) and passes it to the extract_small_model function in process_ckpt.py, which uses it to load the model on that path with torch.load, which can lead to unsafe deserialization and remote code execution. As of time of publication, no known patches exist.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Responsabile

GitHub M

Prenotare

17/04/2025

Divulgazione

05/05/2025

Moderazione

accettato

CPE

pronto

EPSS

0.00772

KEV

no

Attività

molto basso

Fonti

Want to stay up to date on a daily basis?

Enable the mail alert feature now!