CVE-2025-49839
Published: 15 July 2025
Summary
CVE-2025-49839 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Rvc-Boss Gpt-Sovits-Webui. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as APIs and Models; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring validation of the user-supplied model_choose input before it is used in torch.load for deserialization.
Enforces restrictions on model path inputs to block unauthorized or malicious paths that could trigger unsafe deserialization in Roformer_Loader.
Supports remediation of the unsafe deserialization flaw in bsroformer.py through timely patching or code fixes once available.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization vulnerability in the webUI allows attackers to provide a malicious model path, leading to remote code execution via torch.load, enabling exploitation of a public-facing application.
NVD Description
GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in bsroformer.py. The model_choose variable takes user input (e.g. a path to a model) and passes it to the uvr function.…
more
In uvr, a new instance of Roformer_Loader class is created with the model_path attribute containing the aformentioned user input (here called locally model_name). Note that in this step the .ckpt extension is added to the path. In the Roformer_Loader class, the user input, here called model_path, is used to load the model on that path with torch.load, which can lead to unsafe deserialization. At time of publication, no known patched versions are available.
Deeper analysisAI
GPT-SoVITS-WebUI, a web interface for voice conversion and text-to-speech functionality, contains an unsafe deserialization vulnerability (CWE-502) in versions 20250228v3 and prior. The issue resides in the bsroformer.py component, where the model_choose parameter accepts unsanitized user input, such as a model path, which is passed to the uvr function. This input is then used to instantiate a Roformer_Loader class, appending a .ckpt extension before loading the file via torch.load. This direct use of user-controlled data in torch.load enables arbitrary deserialization of PyTorch checkpoints, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying a malicious model path via the model_choose parameter, an attacker triggers deserialization of a crafted .ckpt file during model loading in Roformer_Loader. Successful exploitation allows arbitrary code execution on the server, potentially granting high-impact confidentiality, integrity, and availability compromises, such as remote code execution leading to full system takeover.
GitHub Security Lab advisories (GHSL-2025-049 and GHSL-2025-053) detail the flaw with references to specific code lines in bsroformer.py and webui.py, confirming the deserialization path. At the time of publication on 2025-07-15, no patched versions were available, leaving deployments reliant on input validation, network restrictions, or disabling the affected uvr functionality until fixes emerge.
This vulnerability is particularly relevant to AI/ML practitioners deploying voice synthesis tools, as it targets PyTorch model loading in an open-source TTS pipeline, highlighting risks in user-supplied model paths common in ML webUIs. No public evidence of real-world exploitation was reported at disclosure.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- GPT-SoVITS-WebUI is an open-source web UI platform for AI-based voice conversion and text-to-speech using PyTorch models (e.g., torch.load for .ckpt files), which does not fit core frameworks or libraries but aligns with Other Platforms for AI deployment tools.