CVE-2025-49833
Published: 15 July 2025
Summary
CVE-2025-49833 is a high-severity Command Injection (CWE-77) vulnerability in Rvc-Boss Gpt-Sovits-Webui. Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 10.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Deeper analysis
GPT-SoVITS-WebUI is a voice conversion and text-to-speech web interface. CVE-2025-49833 is a command injection vulnerability (CWE-77) present in versions 20250228v3 and earlier. In the open_slice function of webui.py, unsanitized values from the slice_opt_root and slice-inp-path parameters are concatenated directly into a system command that is then executed on the server.
An unauthenticated remote attacker can supply crafted input through the web UI to achieve arbitrary command execution. The CVSS 4.0 score of 8.9 reflects that the attack requires no authentication or user interaction and can result in full confidentiality, integrity, and availability impact on the underlying host.
Public references, including the GitHub Security Lab advisory GHSL-2025-045 and the affected code locations in webui.py, confirm the injection path but note that no patched versions were available at the time of disclosure. The associated EPSS score has remained flat at 0.0435 with no material increase since publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21549
Vulnerability details
GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in the webui.py open_slice function. slice_opt_root and slice-inp-path takes user input, which is passed to the open_slice function, which concatenates the…
more
user input into a command and runs it on the server, leading to arbitrary command execution. At time of publication, no known patched versions are available.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: gpt
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability in web UI enables exploitation of public-facing application (T1190) for arbitrary OS command execution via command and scripting interpreter (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates command injection by validating user-supplied inputs like slice_opt_root and slice-inp-path before concatenation into system commands in the open_slice function.
Limits unauthenticated access to vulnerable endpoints like open_slice, preventing remote attackers from submitting malicious inputs without identification or authentication.
Requires timely identification, reporting, and remediation of the command injection flaw in webui.py to eliminate the vulnerability.