CVE-2025-49835
Published: 15 July 2025
Summary
CVE-2025-49835 is a high-severity Command Injection (CWE-77) vulnerability in Rvc-Boss Gpt-Sovits-Webui. Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
GPT-SoVITS-WebUI is a voice conversion and text-to-speech web interface that contains a command injection vulnerability in versions 20250228v3 and prior. The flaw resides in the open_asr function within webui.py, where user-controlled inputs such as asr_inp_dir are concatenated directly into shell commands that are executed on the server, corresponding to CWE-77.
Remote attackers can exploit the issue without authentication or user interaction by supplying crafted input through the web interface, resulting in arbitrary command execution on the underlying server with impacts to confidentiality, integrity, and availability reflected in the CVSS 8.9 rating.
Public references, including the GitHub Security Lab advisory GHSL-2025-045 and linked source files, confirm that no patched versions were available at the time of disclosure. The associated EPSS score remains at 0.0435 with no recorded increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21565
Vulnerability details
GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in webui.py open_asr function. asr_inp_dir (and a number of other variables) takes user input, which is passed to the open_asr function,…
more
which concatenates the user input into a command and runs it on the server, leading to arbitrary command execution. At time of publication, no known patched versions are available.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: gpt
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in the webUI allows remote arbitrary command execution, enabling exploitation of public-facing applications (T1190) and remote services (T1210).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validating unsanitized user inputs like asr_inp_dir before concatenation into system commands in the open_asr function, preventing command injection.
Mandates timely identification, reporting, and correction of the command injection flaw in webui.py, eliminating the vulnerability at its source.
Enforces least privilege on processes handling user inputs, limiting the scope and impact of arbitrary commands executed via injection.