Cyber Resilience

CVE-2025-43844

HighRCE

Published: 05 May 2025

Published
05 May 2025
Modified
01 August 2025
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0367 88.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-43844 is a high-severity Command Injection (CWE-77) vulnerability in Rvc-Project Retrieval-Based-Voice-Conversion-Webui. Its CVSS base score is 8.9 (High).

Operationally, ranked in the top 11.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Retrieval-based-Voice-Conversion-WebUI, a voice conversion framework based on VITS, is affected by a command injection vulnerability in versions 2.2.231006 and earlier. The issue occurs because user-controlled variables such as exp_dir1 are passed directly into the click_train function, which concatenates them into a shell command executed on the server, enabling arbitrary command execution. The flaw is tracked as CWE-77 and carries a CVSS 4.0 score of 8.9.

Unauthenticated remote attackers can exploit the vulnerability over the network by supplying crafted input to the affected web interface endpoints. Successful exploitation grants full control over the server, allowing arbitrary code execution with impacts to confidentiality, integrity, and availability.

The referenced GitHub Security Lab advisory (GHSL-2025-012 through GHSL-2025-022) and source code links confirm the injection paths in infer-web.py but note that no patches were available at the time of publication. The associated EPSS score remains flat at 0.0367 with no material increase after disclosure.

EU & UK References

Vulnerability details

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, among others, take user input and pass it to the click_train function, which concatenates them into a command that…

more

is run on the server. This can lead to arbitrary command execution. As of time of publication, no known patches exist.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rvc-project
retrieval-based-voice-conversion-webui
≤ 2.2.231006

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References