CVE-2025-43843: GHSL-2025-013_Retrieval-based-Voice-Conversion-WebUI
First published: Mon May 05 2025(Updated: )
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, np7 and f0method8 take user input and pass it into the extract_f0_feature function, which concatenates them into a command that is run on the server. This can lead to arbitrary command execution. As of time of publication, no known patches exist.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Retrieval-based Voice Conversion WebUI | <2.2.231006 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://securitylab.github.com/advisories/GHSL-2025-012_GHSL-2025-022_Retrieval-based-Voice-Conversion-WebUI/
- https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L1276-L1289
- https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L265-L274
- https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L276-L278
- https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L307-L309
- https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L330-L332
- https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L373-L375
Frequently Asked Questions
What is the severity of CVE-2025-43843?
CVE-2025-43843 is classified as a critical vulnerability due to its potential to allow command injection.
How do I fix CVE-2025-43843?
To fix CVE-2025-43843, upgrade Retrieval-based Voice Conversion WebUI to version 2.2.231007 or later.
What types of input can be exploited in CVE-2025-43843?
The vulnerable variables exp_dir1, np7, and f0method8 can be exploited through arbitrary user input.
What is the impact of CVE-2025-43843?
The impact of CVE-2025-43843 includes unauthorized command execution on the affected system.
Is CVE-2025-43843 present in all versions of Retrieval-based Voice Conversion WebUI?
CVE-2025-43843 affects Retrieval-based Voice Conversion WebUI versions 2.2.231006 and prior.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/title
- agent/type
- agent/description
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/author
- agent/event
- agent/severity
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- collector/epss-latest
- source/FIRST
- agent/source
- agent/tags
- agent/epss
- vendor/retrieval-based-voice-conversion-webui
- canonical/retrieval-based voice conversion webui