Cyber Resilience

CVE-2025-49839

HighPublic PoCRCE

Published: 15 July 2025

Published
15 July 2025
Modified
30 July 2025
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0072 72.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49839 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Rvc-Boss Gpt-Sovits-Webui. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).

Deeper analysis

GPT-SoVITS-WebUI, a web interface for voice conversion and text-to-speech functionality, contains an unsafe deserialization vulnerability (CWE-502) in versions 20250228v3 and prior. The issue resides in the bsroformer.py component, where the model_choose parameter accepts unsanitized user input, such as a model path, which is passed to the uvr function. This input is then used to instantiate a Roformer_Loader class, appending a .ckpt extension before loading the file via torch.load. This direct use of user-controlled data in torch.load enables arbitrary deserialization of PyTorch checkpoints, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying a malicious model path via the model_choose parameter, an attacker triggers deserialization of a crafted .ckpt file during model loading in Roformer_Loader. Successful exploitation allows arbitrary code execution on the server, potentially granting high-impact confidentiality, integrity, and availability compromises, such as remote code execution leading to full system takeover.

GitHub Security Lab advisories (GHSL-2025-049 and GHSL-2025-053) detail the flaw with references to specific code lines in bsroformer.py and webui.py, confirming the deserialization path. At the time of publication on 2025-07-15, no patched versions were available, leaving deployments reliant on input validation, network restrictions, or disabling the affected uvr functionality until fixes emerge.

This vulnerability is particularly relevant to AI/ML practitioners deploying voice synthesis tools, as it targets PyTorch model loading in an open-source TTS pipeline, highlighting risks in user-supplied model paths common in ML webUIs. No public evidence of real-world exploitation was reported at disclosure.

EU & UK References

Vulnerability details

GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in bsroformer.py. The model_choose variable takes user input (e.g. a path to a model) and passes it to the uvr function.…

more

In uvr, a new instance of Roformer_Loader class is created with the model_path attribute containing the aformentioned user input (here called locally model_name). Note that in this step the .ckpt extension is added to the path. In the Roformer_Loader class, the user input, here called model_path, is used to load the model on that path with torch.load, which can lead to unsafe deserialization. At time of publication, no known patched versions are available.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: gpt

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unsafe deserialization vulnerability in the webUI allows attackers to provide a malicious model path, leading to remote code execution via torch.load, enabling exploitation of a public-facing application.

CVEs Like This One

CVE-2025-49837Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-49838Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-49841Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-49840Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-49834Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-49836Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-49833Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-49835Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-45146Shared CWE-502
CVE-2024-13770Shared CWE-502

Affected Assets

rvc-boss
gpt-sovits-webui
≤ 20250228v3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring validation of the user-supplied model_choose input before it is used in torch.load for deserialization.

prevent

Enforces restrictions on model path inputs to block unauthorized or malicious paths that could trigger unsafe deserialization in Roformer_Loader.

prevent

Supports remediation of the unsafe deserialization flaw in bsroformer.py through timely patching or code fixes once available.

References