CVE-2025-43848

Name of the Vulnerable Software and Affected Versions Retrieval-based-Voice-Conversion-WebUI versions 2.2.231006 and prior

Description Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. The ckpt path0 variable takes user input, such as a path to a model, and passes it to the change info function in process ckpt.py. This function uses torch.load to load the model on that path, which can lead to unsafe deserialization and remote code execution. As of the time of publication, no known patches exist.

Recommendations For versions 2.2.231006 and prior, as a temporary workaround, consider restricting the input to the ckpt path0 variable to prevent unsafe deserialization. Additionally, avoid using the change info function in process ckpt.py until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.