CVE-2025-43842 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The varia…
High CVSS: 8.9

CVE-2025-43842

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, np7, trainset_dir4 and sr2 take user input and pass it to the preprocess_dataset function, which concatenates them into a command that is run on the server. This can lead to arbitrary command execution. As of time of publication, no known patches exist.
Vendor
Rvc-project
Product
Retrieval-based-voice-conversion-webui
CWE
CWE-77
Yayın Tarihi
2025-05-05 17:18:48
Güncelleme
2025-08-01 16:55:04
Source Identifier
security-advisories@github.com
KEV Date Added
-

Kategoriler

CWE-77 Retrieval-based-voice-conversion-webui HIGH Rvc-project 2025

Referanslar

https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L1227-L1232 https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L223-L232 https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L235 https://securitylab.github.com/advisories/GHSL-2025-012_GHSL-2025-022_Retrieval-based-Voice-Conversion-WebUI/