CVE-2025-43850

Name of the Vulnerable Software and Affected Versions Retrieval-based-Voice-Conversion-WebUI versions 2.2.231006 and prior

Description Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. The issue arises from unsafe deserialization. The ckpt dir variable takes user input, such as a path to a model, and passes it to the change info function in export.py. This function uses torch.load to load the model from the provided path, which can lead to unsafe deserialization and remote code execution. As of the time of publication, no known patches exist.

Recommendations For versions 2.2.231006 and prior, consider disabling the change info function in export.py or restricting user input for the ckpt dir variable to prevent unsafe deserialization until a patch is available. Avoid using the ckpt dir variable in the affected export.py file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.