CVE-2025-43845

Name of the Vulnerable Software and Affected Versions Retrieval-based-Voice-Conversion-WebUI versions 2.2.231006 and prior

Description Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. The ckpt path2 variable takes user input, such as a path to a model, and passes it to the change info function. This function opens and reads the file on the given path, changing the final part of the path to train.log, and then passes the contents of the file to eval, which can lead to remote code execution. As of the time of publication, no known patches exist.

Recommendations For versions 2.2.231006 and prior, as a temporary workaround, consider restricting the input to the ckpt path2 variable to prevent malicious paths from being passed to the change info function. Additionally, avoid using the eval function with untrusted input until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.