CVE-2025-49839: GPT-SoVITS-WebUI Deserialization Flaw

CVE-2025-49839 Overview

CVE-2025-49839 is an unsafe deserialization vulnerability in GPT-SoVITS-WebUI, an open-source voice conversion and text-to-speech web interface maintained by RVC-Boss. The flaw affects versions 20250228v3 and prior. User-controlled input passed to the model_choose variable is forwarded to the uvr function, which instantiates the Roformer_Loader class. The class then calls torch.load on the attacker-supplied path, enabling arbitrary code execution through Python pickle deserialization. No patched version was available at the time of publication.

Critical Impact

Remote attackers can achieve arbitrary code execution on the host running GPT-SoVITS-WebUI by supplying a malicious model path, with no authentication required.

Affected Products

• RVC-Boss GPT-SoVITS-WebUI version 20250228v3
• All prior GPT-SoVITS-WebUI releases
• Deployments exposing the tools/uvr5/webui.py interface

Discovery Timeline

• 2025-07-15 - CVE-2025-49839 published to NVD
• 2025-07-30 - Last updated in NVD database

Technical Details for CVE-2025-49839

Vulnerability Analysis

The vulnerability resides in tools/uvr5/bsroformer.py within the GPT-SoVITS-WebUI project. The model_choose parameter, exposed through the Gradio-based web UI in webui.py, accepts a user-supplied string representing a model identifier. That value flows into the uvr function, which constructs a Roformer_Loader instance and assigns the supplied value to its model_path attribute after appending the .ckpt extension. Inside Roformer_Loader, the code invokes torch.load(model_path) to deserialize the file from disk.

PyTorch's torch.load uses Python's pickle module by default. Pickle deserialization executes arbitrary code defined in the __reduce__ method of any object embedded in the serialized stream. The CWE classification for this weakness is [CWE-502] Deserialization of Untrusted Data.

Root Cause

The root cause is the absence of validation, sandboxing, or safe-loading controls around torch.load. The application trusts client-controlled file paths and loads serialized model artifacts without verifying their integrity, origin, or contents. The weights_only=True flag, introduced in newer PyTorch releases to restrict unpickling to safe types, is not used.

Attack Vector

An attacker reaches the vulnerable code over the network by interacting with the web UI. The attacker first places a malicious pickle file on the target system or stages it at a writable path reachable by the application, then submits its name through the model selection input. When the application appends .ckpt and calls torch.load, the embedded payload executes with the privileges of the Python process. Exploitation requires no authentication or user interaction.

No verified proof-of-concept code is publicly indexed. Technical details are documented in the GitHub Security Advisory GHSL-2025-049 and in the affected source file bsroformer.py.

Detection Methods for CVE-2025-49839

Indicators of Compromise

• Unexpected child processes spawned by the Python interpreter hosting GPT-SoVITS-WebUI, such as sh, bash, cmd.exe, or powershell.exe.
• New or modified .ckpt, .pt, or .pth files in the tools/uvr5/ model directories that were not added through legitimate workflows.
• Outbound network connections from the GPT-SoVITS-WebUI host to unfamiliar IPs immediately after model selection events.
• Web server access logs showing requests to the Gradio endpoints associated with uvr5/webui.py followed by anomalous process activity.

Detection Strategies

• Monitor process lineage for python processes loading PyTorch and subsequently launching shells or scripting interpreters.
• Inspect filesystem telemetry for newly written model files in directories consumed by Roformer_Loader.
• Hunt for use of torch.load against paths under web-writable directories in application logs and tracing tools.

Monitoring Recommendations

• Enable command-line and parent-process logging on hosts running GPT-SoVITS-WebUI.
• Alert on egress traffic from the application host to non-allowlisted destinations.
• Capture and retain Gradio request logs to correlate model-selection inputs with subsequent process behavior.

How to Mitigate CVE-2025-49839

Immediate Actions Required

• Restrict network access to GPT-SoVITS-WebUI so only trusted operators on isolated networks can reach the interface.
• Disable or remove the tools/uvr5/ UVR5 functionality if it is not required for the deployment.
• Run the application as a low-privileged user inside a container or sandbox to limit the blast radius of code execution.
• Allowlist model files by cryptographic hash and reject any path that resolves outside a controlled directory.

Patch Information

No official patched version was available at publication. Track the RVC-Boss GPT-SoVITS repository and the GHSL-2025-049 advisory for fix availability.

Workarounds

• Modify local deployments to call torch.load with weights_only=True where the PyTorch version supports it.
• Validate the model_choose input against a strict allowlist of known model filenames before passing it to uvr.
• Block the web UI behind authenticated reverse proxies or VPN access to prevent unauthenticated exploitation.
• Treat all .ckpt, .pt, and .pth files received from external sources as untrusted and scan them before loading.

# Configuration example: run GPT-SoVITS-WebUI behind an authenticated reverse proxy
# and bind the service to localhost only
export GRADIO_SERVER_NAME="127.0.0.1"
export GRADIO_SERVER_PORT="9873"
python webui.py --listen 127.0.0.1