CVE-2025-49834
Published: 15 July 2025
Summary
CVE-2025-49834 is a high-severity Command Injection (CWE-77) vulnerability in Rvc-Boss Gpt-Sovits-Webui. Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 9.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
GPT-SoVITS-WebUI is a voice conversion and text-to-speech web interface. Versions 20250228v3 and earlier contain a command injection vulnerability in the open_denoise function of webui.py. The parameters denoise_inp_dir and denoise_opt_dir accept unsanitized user input that is directly concatenated into a shell command executed on the server, enabling arbitrary command execution. The flaw is tracked as CWE-77 and carries a CVSS 4.0 score of 8.9.
An unauthenticated remote attacker can supply crafted directory values through the web UI to run arbitrary operating-system commands with the privileges of the web server process, resulting in full confidentiality, integrity, and availability impact on the host. No authentication or user interaction is required, and the attack can be performed over the network.
Public references, including the project source and a GitHub Security Lab advisory, confirm the vulnerable code paths but state that no patched versions were available at the time of disclosure. The associated EPSS score remains flat at 0.0574 with no material increase observed after publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21548
Vulnerability details
GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in webui.py open_denoise function. denoise_inp_dir and denoise_opt_dir take user input, which is passed to the open_denoise function, which concatenates the user…
more
input into a command and runs it on the server, leading to arbitrary command execution. At time of publication, no known patched versions are available.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: gpt
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability in webui.py functions (open_denoise, etc.) allows arbitrary remote command execution via unsanitized user input passed to Popen(shell=True), enabling T1059 (Command and Scripting Interpreter) and facilitated by exploitation of a public-facing web application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates user inputs for denoise_inp_dir and denoise_opt_dir to prevent command injection payloads from being concatenated into shell commands in the open_denoise function.
Remediates the command injection flaw in webui.py by patching the vulnerable code to sanitize or escape user-supplied directory paths before execution.
Enforces least privilege on the webUI process to restrict the scope and impact of arbitrary commands executed via the vulnerability.