CVE-2025-43846

Name of the Vulnerable Software and Affected Versions Retrieval-based-Voice-Conversion-WebUI versions 2.2.231006 and prior

Description Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. The ckpt path1 variable takes user input, such as a path to a model, and passes it to the show info function in process ckpt.py. This function uses torch.load to load the model on that path, which can lead to unsafe deserialization and remote code execution. As of the time of publication, no known patches exist.

Recommendations For versions 2.2.231006 and prior, as a temporary workaround, consider restricting the use of the ckpt path1 variable and the show info function in process ckpt.py to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.