CVE-2025-49841
Published: 15 July 2025
Summary
CVE-2025-49841 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Rvc-Boss Gpt-Sovits-Webui. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as APIs and Models; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates and sanitizes the user-controlled SoVITS_dropdown input (sovits_path) prior to passing it to torch.load, preventing unsafe deserialization of malicious models.
Requires digital signature verification of PyTorch models before loading with torch.load, ensuring only authentic and untampered models are deserialized.
Establishes processes to identify, report, and remediate the unsafe deserialization flaw in process_ckpt.py, including applying patches when available.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization vulnerability in the webUI's model loading function (torch.load on user-controlled path) enables remote code execution by exploiting a public-facing web application.
NVD Description
GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in process_ckpt.py. The SoVITS_dropdown variable takes user input and passes it to the load_sovits_new function in process_ckpt.py. In load_sovits_new, the user…
more
input, here sovits_path is used to load a model with torch.load, leading to unsafe deserialization. At time of publication, no known patched versions are available.
Deeper analysisAI
CVE-2025-49841 is an unsafe deserialization vulnerability (CWE-502) in GPT-SoVITS-WebUI, an open-source web interface for voice conversion and text-to-speech functionality. The flaw affects versions 20250228v3 and prior, specifically in the process_ckpt.py component. User input from the SoVITS_dropdown variable is passed directly to the load_sovits_new function, which uses the controlled sovits_path parameter to invoke torch.load for model loading, enabling arbitrary deserialization of untrusted data.
With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is exploitable remotely by unauthenticated attackers with low complexity and no user interaction required. An attacker can supply a malicious model path via the web interface, triggering deserialization during torch.load execution. This can lead to high-impact compromise of confidentiality, integrity, and availability, such as remote code execution on the hosting server.
The GitHub Security Lab advisory (GHSL-2025-049_GHSL-2025-053) identifies the issue with code references in inference_webui.py (lines 873 and 926) and process_ckpt.py (lines 100-106). No patched versions were available at the time of publication on 2025-07-15.
This vulnerability underscores risks in AI/ML web UIs that load PyTorch models from user-supplied paths, with no reported real-world exploitation at publication.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- GPT-SoVITS-WebUI is a web-based user interface/platform for voice conversion and text-to-speech, utilizing PyTorch models for inference, fitting under Other Platforms as it is neither a framework, library, nor specialized in listed subfields like NLP Transformers or Computer Vision.