Cyber Resilience

CVE-2025-49840

HighPublic PoCRCE

Published: 15 July 2025

Published
15 July 2025
Modified
30 July 2025
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0066 71.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49840 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Rvc-Boss Gpt-Sovits-Webui. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).

Deeper analysis

CVE-2025-49840 is an unsafe deserialization vulnerability (CWE-502) in GPT-SoVITS-WebUI, a web interface for voice conversion and text-to-speech functionality within the RVC-Boss/GPT-SoVITS project. It affects versions 20250228v3 and prior, specifically in the inference_webui.py component. User input via the GPT_dropdown variable is passed to the change_gpt_weights function, which uses the controlled gpt_path parameter to load a model with torch.load, enabling arbitrary deserialization of untrusted data.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it exploitable remotely by unauthenticated attackers with low attack complexity and no user interaction. Attackers can supply a malicious model path, leading to deserialization gadgets that compromise confidentiality, integrity, and availability, potentially resulting in remote code execution on the hosting server.

GitHub Security Lab advisories GHSL-2025-049 and GHSL-2025-053 detail the issue with code references in inference_webui.py (lines 310, 872, and 927), but at the time of publication on 2025-07-15, no known patched versions were available.

EU & UK References

Vulnerability details

GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in inference_webui.py. The GPT_dropdown variable takes user input and passes it to the change_gpt_weights function. In change_gpt_weights, the user input, here…

more

gpt_path is used to load a model with torch.load, leading to unsafe deserialization. At time of publication, no known patched versions are available.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: gpt

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unsafe deserialization via torch.load on user-controlled model path in webUI enables remote code execution, exploiting a public-facing web application.

CVEs Like This One

CVE-2025-49837Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-49838Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-49841Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-49839Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-49834Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-49836Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-49833Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-49835Same product: Rvc-Boss Gpt-Sovits-Webui
CVE-2025-45146Shared CWE-502
CVE-2024-13770Shared CWE-502

Affected Assets

rvc-boss
gpt-sovits-webui
≤ 20250228v3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates the user-controlled gpt_path input before deserialization with torch.load, preventing processing of malicious serialized data.

prevent

Restricts GPT_dropdown inputs to whitelisted safe model paths, blocking arbitrary user-supplied paths leading to unsafe deserialization.

prevent

Implements memory protections like non-executable memory to mitigate remote code execution from deserialized malicious payloads.

References