CVE-2025-43851

Name of the Vulnerable Software and Affected Versions Retrieval-based-Voice-Conversion-WebUI versions 2.2.231006 and prior

Description Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. The model choose variable takes user input, such as a path to a model, and passes it to the uvr function in vr.py. In uvr, a new instance of the AudioPre class is created with the model path attribute containing the aforementioned user input. In the AudioPre class, the user input is used to load the model on that path with torch.load, which can lead to unsafe deserialization and remote code execution. As of the time of publication, no known patches exist.

Recommendations For versions 2.2.231006 and prior, as a temporary workaround, consider disabling the uvr function in vr.py until a patch is available. Restrict access to the AudioPre class to minimize the risk of exploitation. Avoid using the model choose variable in the affected code until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.