CVE-2025-49841
Published: 15 July 2025
Summary
CVE-2025-49841 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Rvc-Boss Gpt-Sovits-Webui. Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-49841 is an unsafe deserialization vulnerability (CWE-502) in GPT-SoVITS-WebUI, an open-source web interface for voice conversion and text-to-speech functionality. The flaw affects versions 20250228v3 and prior, specifically in the process_ckpt.py component. User input from the SoVITS_dropdown variable is passed directly to the load_sovits_new function, which uses the controlled sovits_path parameter to invoke torch.load for model loading, enabling arbitrary deserialization of untrusted data.
With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is exploitable remotely by unauthenticated attackers with low complexity and no user interaction required. An attacker can supply a malicious model path via the web interface, triggering deserialization during torch.load execution. This can lead to high-impact compromise of confidentiality, integrity, and availability, such as remote code execution on the hosting server.
The GitHub Security Lab advisory (GHSL-2025-049_GHSL-2025-053) identifies the issue with code references in inference_webui.py (lines 873 and 926) and process_ckpt.py (lines 100-106). No patched versions were available at the time of publication on 2025-07-15.
This vulnerability underscores risks in AI/ML web UIs that load PyTorch models from user-supplied paths, with no reported real-world exploitation at publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21557
Vulnerability details
GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in process_ckpt.py. The SoVITS_dropdown variable takes user input and passes it to the load_sovits_new function in process_ckpt.py. In load_sovits_new, the user…
more
input, here sovits_path is used to load a model with torch.load, leading to unsafe deserialization. At time of publication, no known patched versions are available.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: gpt
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization vulnerability in the webUI's model loading function (torch.load on user-controlled path) enables remote code execution by exploiting a public-facing web application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates and sanitizes the user-controlled SoVITS_dropdown input (sovits_path) prior to passing it to torch.load, preventing unsafe deserialization of malicious models.
Requires digital signature verification of PyTorch models before loading with torch.load, ensuring only authentic and untampered models are deserialized.
Establishes processes to identify, report, and remediate the unsafe deserialization flaw in process_ckpt.py, including applying patches when available.