CVE-2025-43843
GHSL-2025-013_Retrieval-based-Voice-Conversion-WebUI
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
GHSL-2025-013_Retrieval-based-Voice-Conversion-WebUI
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, np7 and f0method8 take user input and pass it into the extract_f0_feature function, which concatenates them into a command that is run on the server. This can lead to arbitrary command execution. As of time of publication, no known patches exist.
Reserved 2025-04-17 | Published 2025-05-05 | Updated 2025-05-05 | Assigner GitHub_MCWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
securitylab.github.com/...eval-based-Voice-Conversion-WebUI/
github.com/...7780cf703841ebafb565a4e47d1ea86ff/infer-web.py
github.com/...7780cf703841ebafb565a4e47d1ea86ff/infer-web.py
github.com/...7780cf703841ebafb565a4e47d1ea86ff/infer-web.py
github.com/...7780cf703841ebafb565a4e47d1ea86ff/infer-web.py
github.com/...7780cf703841ebafb565a4e47d1ea86ff/infer-web.py
github.com/...7780cf703841ebafb565a4e47d1ea86ff/infer-web.py
Support options
