CVE-2025-49835

Name of the Vulnerable Software and Affected Versions GPT-SoVITS-WebUI versions prior to 20250228v3

Description GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. A command injection issue exists in the webui.py open asr function. The asr inp dir variable (and other variables) accepts user input, which is then incorporated into a command and executed on the server, potentially allowing for arbitrary command execution.

Recommendations Versions prior to 20250228v3 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.