CVE-2025-49837

Name of the Vulnerable Software and Affected Versions GPT-SoVITS-WebUI versions 20250228v3 and prior

Description GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. A flaw exists due to unsafe deserialization in the vr.py AudioPre module. The model choose variable accepts user-supplied input, including a path to a model, and passes it to the uvr function. Within uvr, an instance of the AudioPre class is created, utilizing the user-provided input as the model path attribute, with the .pth extension appended. The AudioPre class then uses this model path to load the model using torch.load, which can result in unsafe deserialization.

Recommendations Versions prior to 20250228v3 are vulnerable. At the moment, there is no information about a newer version that contains a fix for this vulnerability.