CVE-2025-49839

Name of the Vulnerable Software and Affected Versions GPT-SoVITS-WebUI versions 20250228v3 and prior

Description GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. A deserialization issue exists in the bsroformer.py file. The model choose variable accepts user-supplied input, such as a model path, and passes it to the uvr function. Within uvr, a Roformer Loader class instance is created, utilizing the user input as the model path attribute after appending the .ckpt extension. The Roformer Loader class then uses this user-controlled model path with torch.load, potentially leading to unsafe deserialization.

Recommendations Versions prior to 20250228v3: At the moment, there is no information about a newer version that contains a fix for this vulnerability.