CVE-2025-43851 Overview
CVE-2025-43851 is an unsafe deserialization vulnerability affecting Retrieval-based-Voice-Conversion-WebUI, a voice changing framework based on VITS. The vulnerability exists in versions 2.2.231006 and prior, where user-controlled input is passed to the torch.load function without proper validation, enabling remote code execution through malicious model files.
Critical Impact
Attackers can achieve remote code execution by providing a malicious model path that triggers unsafe deserialization through PyTorch's torch.load function, potentially leading to complete system compromise.
Affected Products
- rvc-project retrieval-based-voice-conversion-webui versions 2.2.231006 and prior
Discovery Timeline
- May 5, 2025 - CVE-2025-43851 published to NVD
- August 1, 2025 - Last updated in NVD database
Technical Details for CVE-2025-43851
Vulnerability Analysis
This vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a well-known class of security issues affecting Python applications that use serialization libraries without proper safeguards. The Retrieval-based-Voice-Conversion-WebUI application accepts user-provided model paths without adequate validation, creating an exploitable attack surface.
The attack flow begins when a user supplies input to the model_choose variable, which is intended to specify a path to a voice conversion model. This input flows through the uvr function in vr.py, where it creates an instance of the AudioPre class with the user-supplied path stored in the model_path attribute. The critical vulnerability occurs when this path is used with PyTorch's torch.load function, which by default uses Python's pickle module for deserialization.
PyTorch's torch.load function is inherently unsafe when used with untrusted data because pickle can execute arbitrary Python code during the deserialization process. An attacker can craft a malicious pickle payload disguised as a model file that, when loaded, executes arbitrary code on the target system with the privileges of the application.
Root Cause
The root cause is the direct use of torch.load on user-controlled file paths without implementing any of the recommended security measures. PyTorch's documentation explicitly warns against loading untrusted data with torch.load due to pickle's ability to execute arbitrary code during deserialization. The application fails to:
- Validate that the model path points to expected locations
- Use PyTorch's weights_only=True parameter to restrict deserialization
- Implement allowlisting of safe model sources
Attack Vector
The vulnerability is exploitable over the network without authentication or user interaction. An attacker can exploit this vulnerability by:
- Hosting a malicious model file containing a crafted pickle payload on an attacker-controlled server or tricking the application into loading a local malicious file
- Providing the path to this malicious model file through the web interface's model selection functionality
- When the application attempts to load the model using torch.load, the pickle deserialization process executes the embedded malicious code
The malicious payload typically involves overriding the __reduce__ method in a Python class to execute arbitrary system commands. When torch.load deserializes the crafted file, Python's pickle module invokes this method, triggering code execution.
For technical details on the vulnerable code paths, see the GitHub Security Advisory.
Detection Methods for CVE-2025-43851
Indicators of Compromise
- Unusual model files in application directories with unexpected content or file signatures
- Unexpected process spawning from the Python interpreter running the WebUI application
- Network connections to suspicious external hosts initiated by the application process
- Anomalous file system activity or new files created in system directories
Detection Strategies
- Monitor for torch.load calls with paths pointing to non-standard or external locations
- Implement file integrity monitoring on model directories to detect unauthorized additions
- Use application-level logging to track model loading operations and audit model path inputs
- Deploy endpoint detection to identify suspicious child processes spawned by the application
Monitoring Recommendations
- Enable verbose logging for the WebUI application to capture all model loading attempts
- Configure network monitoring to detect outbound connections from the application to unexpected destinations
- Set up alerting for any attempts to access model files from network shares or URLs
- Monitor system call activity from the application process for signs of command execution
How to Mitigate CVE-2025-43851
Immediate Actions Required
- Restrict access to the WebUI application to trusted users only until a patch is available
- Implement network segmentation to limit the application's ability to reach external resources
- Review and audit all model files currently in use for signs of tampering
- Consider running the application in a containerized or sandboxed environment to limit blast radius
Patch Information
As of the time of publication, no official patch exists for this vulnerability. Organizations should monitor the GitHub Security Advisory for updates on remediation.
Workarounds
- Implement a strict allowlist of permitted model paths, rejecting any paths outside predefined directories
- Modify the source code to use torch.load with weights_only=True parameter where possible to prevent arbitrary code execution
- Deploy a web application firewall (WAF) or reverse proxy to filter malicious inputs before they reach the application
- Run the application with minimal privileges and consider using mandatory access control (MAC) frameworks like SELinux or AppArmor
# Example: Restrict model directory permissions
chmod 755 /path/to/models
chown -R appuser:appgroup /path/to/models
# Ensure only trusted model files exist
find /path/to/models -type f -name "*.pth" -exec sha256sum {} \; > /path/to/model_checksums.txt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
