CVE-2025-49838

Name of the Vulnerable Software and Affected Versions GPT-SoVITS-WebUI versions 20250228v3 and prior

Description GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. A flaw exists due to unsafe deserialization in the vr.py AudioPreDeEcho component. The model choose variable accepts user-supplied input, such as a model path, and transmits it to the uvr function. Within uvr, an instance of the AudioPreDeEcho class is created, utilizing the user input as the model path attribute after appending the '.pth' extension. The AudioPreDeEcho class then uses this user input to load a model via torch.load, potentially leading to unsafe deserialization.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.