Cyber Resilience

CVE-2025-49835

HighPublic PoCRCE

Published: 15 July 2025

Published
15 July 2025
Modified
30 July 2025
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0435 89.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49835 is a high-severity Command Injection (CWE-77) vulnerability in Rvc-Boss Gpt-Sovits-Webui. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

GPT-SoVITS-WebUI is a voice conversion and text-to-speech web interface that contains a command injection vulnerability in versions 20250228v3 and prior. The flaw resides in the open_asr function within webui.py, where user-controlled inputs such as asr_inp_dir are concatenated directly into shell commands that are executed on the server, corresponding to CWE-77.

Remote attackers can exploit the issue without authentication or user interaction by supplying crafted input through the web interface, resulting in arbitrary command execution on the underlying server with impacts to confidentiality, integrity, and availability reflected in the CVSS 8.9 rating.

Public references, including the GitHub Security Lab advisory GHSL-2025-045 and linked source files, confirm that no patched versions were available at the time of disclosure. The associated EPSS score remains at 0.0435 with no recorded increase.

EU & UK References

Vulnerability details

GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in webui.py open_asr function. asr_inp_dir (and a number of other variables) takes user input, which is passed to the open_asr function,…

more

which concatenates the user input into a command and runs it on the server, leading to arbitrary command execution. At time of publication, no known patched versions are available.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: gpt

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Command injection in the webUI allows remote arbitrary command execution, enabling exploitation of public-facing applications (T1190) and remote services (T1210).

CVEs Like This One

CVE-2025-49834Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-49836Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-49833Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-49837Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-49838Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-49841Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-49840Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-49839Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2026-26015Shared CWE-77
CVE-2026-4399Shared CWE-77

Affected Assets

rvc-boss
gpt-sovits-webui
≤ 20250228v3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validating unsanitized user inputs like asr_inp_dir before concatenation into system commands in the open_asr function, preventing command injection.

prevent

Mandates timely identification, reporting, and correction of the command injection flaw in webui.py, eliminating the vulnerability at its source.

prevent

Enforces least privilege on processes handling user inputs, limiting the scope and impact of arbitrary commands executed via injection.

References