Cyber Resilience

CVE-2025-43842

HighRCE

Published: 05 May 2025

Published
05 May 2025
Modified
01 August 2025
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0334 87.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-43842 is a high-severity Command Injection (CWE-77) vulnerability in Rvc-Project Retrieval-Based-Voice-Conversion-Webui. Its CVSS base score is 8.9 (High).

Operationally, ranked in the top 12.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Retrieval-based-Voice-Conversion-WebUI, a VITS-based voice conversion framework, contains a command-injection vulnerability in versions 2.2.231006 and earlier. User-controlled values for the variables exp_dir1, np7, trainset_dir4, and sr2 are passed directly into the preprocess_dataset function in infer-web.py, where they are concatenated into a shell command that is executed on the server. The issue is tracked as CWE-77 and carries a CVSS 4.0 score of 8.9.

An unauthenticated remote attacker can supply crafted input over the network to achieve arbitrary command execution, resulting in full control over confidentiality, integrity, and availability on the affected host. Proof-of-concept exploit code is referenced in the CVSS vector (E:P).

The GitHub Security Lab advisory GHSL-2025-012_GHSL-2025-022 and the linked source lines confirm the data-flow from web endpoints to the vulnerable concatenation. No patches are available as of the May 2025 disclosure date. The associated EPSS score has remained flat at 0.0334 with no material increase since publication.

EU & UK References

Vulnerability details

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, np7, trainset_dir4 and sr2 take user input and pass it to the preprocess_dataset function, which concatenates them into a…

more

command that is run on the server. This can lead to arbitrary command execution. As of time of publication, no known patches exist.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rvc-project
retrieval-based-voice-conversion-webui
≤ 2.2.231006

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References