Description
GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in webui.py open_asr function. asr_inp_dir (and a number of other variables) takes user input, which is passed to the open_asr function, which concatenates the user input into a command and runs it on the server, leading to arbitrary command execution. At time of publication, no known patched versions are available.
Question to Ask Vendors:
- Can you confirm whether your systems are affected by CVE-2025-49835, and if so, what steps are you currently taking to mitigate this vulnerability?
- What is your estimated timeline for fully resolving CVE-2025-49835 in your products or services, and how will you communicate updates on this issue to us as your customer?
Recommended Actions:
- Check out the advisory links provided below.
References:
- https://capec.mitre.org/data/definitions/136.html
- https://capec.mitre.org/data/definitions/15.html
- https://capec.mitre.org/data/definitions/183.html
- https://capec.mitre.org/data/definitions/248.html
- https://capec.mitre.org/data/definitions/40.html
- https://capec.mitre.org/data/definitions/43.html
- https://capec.mitre.org/data/definitions/75.html
- https://capec.mitre.org/data/definitions/76.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-49835