CVE-2025-43852

Name of the Vulnerable Software and Affected Versions Retrieval-based-Voice-Conversion-WebUI versions 2.2.231006 and prior

Description Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. The model choose variable takes user input, such as a path to a model, and passes it to the uvr function in vr.py. If model name contains the string "DeEcho", a new instance of the AudioPreDeEcho class is created with the model path attribute containing the user input. In the AudioPreDeEcho class, the user input is used to load the model on that path with torch.load, which can lead to unsafe deserialization and remote code execution. No known patches exist as of the time of publication.

Recommendations For versions 2.2.231006 and prior, consider disabling the uvr function in vr.py or restricting the use of the model choose variable to minimize the risk of exploitation until a patch is available. Avoid using the model path attribute in the AudioPreDeEcho class to load models from untrusted sources. At the moment, there is no information about a newer version that contains a fix for this vulnerability.