CVE-2025-49834: GPT-SoVITS-WebUI RCE Vulnerability

CVE-2025-49834 Overview

CVE-2025-49834 is a command injection vulnerability affecting GPT-SoVITS-WebUI, a popular voice conversion and text-to-speech web interface. The vulnerability exists in the open_denoise function within webui.py, where user-supplied input through the denoise_inp_dir and denoise_opt_dir parameters is concatenated directly into a command string and executed on the server without proper sanitization. This flaw allows unauthenticated remote attackers to execute arbitrary commands on the underlying system.

Critical Impact
Unauthenticated remote attackers can achieve arbitrary command execution on servers running GPT-SoVITS-WebUI version 20250228v3 and prior, potentially leading to complete system compromise.

Affected Products

GPT-SoVITS-WebUI version 20250228v3 and all prior versions
rvc-boss gpt-sovits-webui

Discovery Timeline

July 15, 2025 - CVE-2025-49834 published to NVD
July 30, 2025 - Last updated in NVD database

Technical Details for CVE-2025-49834

Vulnerability Analysis

This command injection vulnerability stems from improper handling of user input in the web interface's denoise functionality. The open_denoise function in webui.py accepts two user-controllable parameters: denoise_inp_dir (input directory) and denoise_opt_dir (output directory). These values are directly concatenated into a command string that is subsequently executed by the Python runtime on the server.

The lack of input validation or sanitization allows attackers to inject shell metacharacters and malicious commands that will be interpreted and executed by the underlying operating system shell. Since this is a network-accessible web interface, exploitation can be achieved remotely without authentication, making it particularly dangerous for internet-facing deployments.

Root Cause

The root cause is a classic CWE-77 (Command Injection) vulnerability where user-supplied input is passed unsanitized to a system command execution function. The denoise_inp_dir and denoise_opt_dir parameters flow directly from user input into command construction at multiple points in webui.py (lines 362, 366, 909-910, and 1038) without any validation, escaping, or use of parameterized command execution methods.

Attack Vector

The vulnerability is exploitable over the network without requiring authentication. An attacker can craft malicious input containing shell metacharacters (such as ;, |, &&, or backticks) in the directory path parameters. When the application processes this input, the injected commands are executed with the same privileges as the web application process.

For example, an attacker could supply a directory path like ; whoami ; or $(malicious_command) to execute arbitrary system commands. The vulnerability affects the denoise processing workflow, which is typically accessible through the web interface without additional authentication requirements.

Technical details of the vulnerable code paths can be found in the GitHub Security Advisory and the referenced source code locations.

Detection Methods for CVE-2025-49834

Indicators of Compromise

Unexpected child processes spawned from the Python web application process
Unusual network connections or reverse shells originating from the GPT-SoVITS-WebUI server
Suspicious directory path values containing shell metacharacters (;, |, &&, $(), backticks) in application logs
File system modifications outside normal application directories

Detection Strategies

Monitor web application logs for denoise requests containing shell metacharacters or command injection patterns in directory path parameters
Implement web application firewall (WAF) rules to detect and block requests with suspicious characters in path parameters
Deploy endpoint detection solutions to monitor for unexpected command execution from Python processes
Enable process creation auditing on systems running the application to capture anomalous subprocess spawning

Monitoring Recommendations

Configure alerting for any subprocess execution from the GPT-SoVITS-WebUI application that deviates from expected behavior
Monitor for outbound network connections from the web server to unexpected destinations
Implement file integrity monitoring on critical system directories
Review authentication and access logs for the web interface for unusual access patterns

How to Mitigate CVE-2025-49834

Immediate Actions Required

Restrict network access to GPT-SoVITS-WebUI instances to trusted networks only; do not expose to the public internet
Implement network-level access controls or place the application behind a VPN
Deploy a web application firewall (WAF) with rules to block command injection patterns
Run the application with minimal system privileges in an isolated environment or container

Patch Information

At the time of publication, no known patched versions are available for this vulnerability. Users should monitor the GPT-SoVITS GitHub repository for security updates and apply patches as soon as they become available.

Workarounds

Isolate the application in a containerized environment with restricted system access and no network egress capabilities
Implement input validation at the reverse proxy or WAF level to block requests containing shell metacharacters in directory parameters
Disable or restrict access to the denoise functionality if it is not required for your use case
Consider running the application in a sandboxed environment with limited file system and network access

bash

# Example: Restrict network access using iptables
# Allow only specific trusted IPs to access the web interface
iptables -A INPUT -p tcp --dport 7860 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7860 -j DROP