CVE-2025-43844: GHSL-2025-014_Retrieval-based-Voice-Conversion-WebUI
Description
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, among others, take user input and pass it to the click_train function, which concatenates them into a command that is run on the server. This can lead to arbitrary command execution. As of time of publication, no known patches exist.
Classification
CVE ID: CVE-2025-43844
CVSS Base Severity: HIGH
CVSS Base Score: 8.9
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Problem Types
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')Affected Products
Vendor: RVC-Project
Product: Retrieval-based-Voice-Conversion-WebUI
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.56% (probability of being exploited)
EPSS Percentile: 67.1% (scored less or equal to compared to others)
EPSS Date: 2025-06-03 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-43844https://securitylab.github.com/advisories/GHSL-2025-012_GHSL-2025-022_Retrieval-based-Voice-Conversion-WebUI/
https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L1376-L1396
https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L571-L589
https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L591-L608
https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L610