Home

Description

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, np7 and f0method8 take user input and pass it into the extract_f0_feature function, which concatenates them into a command that is run on the server. This can lead to arbitrary command execution. As of time of publication, no known patches exist.

PUBLISHED Reserved 2025-04-17 | Published 2025-05-05 | Updated 2025-05-05 | Assigner GitHub_M




HIGH: 8.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Problem types

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

Product status

<= 2.2.231006
affected

References

securitylab.github.com/...eval-based-Voice-Conversion-WebUI/

github.com/...7780cf703841ebafb565a4e47d1ea86ff/infer-web.py

github.com/...7780cf703841ebafb565a4e47d1ea86ff/infer-web.py

github.com/...7780cf703841ebafb565a4e47d1ea86ff/infer-web.py

github.com/...7780cf703841ebafb565a4e47d1ea86ff/infer-web.py

github.com/...7780cf703841ebafb565a4e47d1ea86ff/infer-web.py

github.com/...7780cf703841ebafb565a4e47d1ea86ff/infer-web.py

cve.org (CVE-2025-43843)

nvd.nist.gov (CVE-2025-43843)

Download JSON