CVE-2025-49841 Overview
CVE-2025-49841 is an unsafe deserialization vulnerability affecting GPT-SoVITS-WebUI, a popular voice conversion and text-to-speech web interface. The vulnerability exists in the process_ckpt.py file where user-controlled input is passed to PyTorch's torch.load function without proper validation, allowing attackers to execute arbitrary code through maliciously crafted model files.
Critical Impact
Attackers can achieve remote code execution by exploiting the unsafe deserialization in the model loading functionality, potentially compromising the entire system running the WebUI.
Affected Products
- rvc-boss gpt-sovits-webui version 20250228v3 and prior
- All GPT-SoVITS-WebUI installations using the vulnerable process_ckpt.py module
- Systems running the inference WebUI with exposed model loading functionality
Discovery Timeline
- July 15, 2025 - CVE-2025-49841 published to NVD
- July 30, 2025 - Last updated in NVD database
Technical Details for CVE-2025-49841
Vulnerability Analysis
This vulnerability is classified as CWE-502 (Deserialization of Untrusted Data), a well-known class of security issues that can lead to remote code execution. The flaw occurs in the model loading workflow of GPT-SoVITS-WebUI where the SoVITS_dropdown variable accepts user input and passes it directly to the load_sovits_new function.
Within load_sovits_new, the user-supplied path (sovits_path) is used as an argument to torch.load() without any sanitization or validation. PyTorch's torch.load function uses Python's pickle module under the hood, which is inherently unsafe when processing untrusted data. An attacker can craft a malicious pickle payload disguised as a model checkpoint file that executes arbitrary Python code when deserialized.
The network-accessible attack vector combined with no required privileges or user interaction makes this vulnerability particularly dangerous for internet-facing deployments. Successful exploitation grants the attacker the same privileges as the process running the WebUI, potentially leading to full system compromise.
Root Cause
The root cause is the direct use of torch.load() on user-controllable file paths without implementing safe deserialization practices. The vulnerable code in process_ckpt.py (lines 100-106) trusts that the provided model checkpoint file is legitimate, failing to account for the risk of pickle deserialization attacks. PyTorch's documentation explicitly warns that torch.load() uses pickle internally and should never be used on untrusted data without the weights_only=True parameter or equivalent safeguards.
Attack Vector
The attack requires an adversary to either:
- Upload a malicious model file through the WebUI interface if file upload is permitted
- Provide a path to a malicious file already present on the system
- Exploit any file write primitive to place a malicious checkpoint file in a location the application will load
Once the malicious file path is supplied to the SoVITS_dropdown input, it flows through inference_webui.py (lines 873 and 926) to the vulnerable load_sovits_new function, which triggers the deserialization and executes the embedded payload.
The vulnerability mechanism involves PyTorch's torch.load() function deserializing pickle data from user-supplied model files. When a malicious pickle payload is crafted with a __reduce__ method containing arbitrary code, the deserialization process automatically executes that code. For detailed technical analysis, see the GitHub Security Advisory.
Detection Methods for CVE-2025-49841
Indicators of Compromise
- Unexpected files with .pth, .ckpt, or similar model checkpoint extensions appearing in model directories
- Unusual process spawning or network connections originating from the GPT-SoVITS-WebUI process
- Log entries showing model loading attempts from non-standard paths or user-controlled locations
- Evidence of pickle deserialization errors or Python exception traces in application logs
Detection Strategies
- Monitor file system activity for new or modified checkpoint files in the GPT-SoVITS model directories
- Implement application-level logging to track all model loading operations and the source paths
- Deploy endpoint detection rules to identify suspicious Python subprocess execution patterns
- Analyze network traffic for unexpected outbound connections from the WebUI application
Monitoring Recommendations
- Enable verbose logging in the GPT-SoVITS-WebUI application to capture model loading events
- Configure SIEM alerts for anomalous process behavior associated with Python/PyTorch applications
- Implement file integrity monitoring on directories containing legitimate model checkpoints
- Review web server access logs for unusual requests to model loading endpoints
How to Mitigate CVE-2025-49841
Immediate Actions Required
- Restrict network access to GPT-SoVITS-WebUI instances, limiting exposure to trusted networks only
- Disable or restrict the model upload and selection functionality if not required for operations
- Implement strict file path validation to ensure only pre-approved model files can be loaded
- Run the WebUI application with minimal privileges using a dedicated service account
Patch Information
At the time of publication, no known patched versions are available from the vendor. Organizations should monitor the GPT-SoVITS GitHub repository for security updates and apply patches as soon as they become available. The recommended fix involves using torch.load() with the weights_only=True parameter or implementing alternative safe loading mechanisms.
Workarounds
- Deploy the application behind a reverse proxy with strong authentication to limit access to authorized users
- Modify process_ckpt.py to add weights_only=True parameter to torch.load() calls, though this may break functionality if models contain non-tensor objects
- Implement an allowlist of trusted model file hashes and validate checkpoints before loading
- Containerize the application with restricted capabilities and network isolation to limit blast radius
# Example: Running GPT-SoVITS-WebUI with restricted permissions
# Create dedicated user with minimal privileges
useradd -r -s /bin/false gpt-sovits-user
# Restrict model directory permissions
chmod 750 /opt/gpt-sovits/models
chown gpt-sovits-user:gpt-sovits-user /opt/gpt-sovits/models
# Run application as restricted user
su -s /bin/bash -c "python inference_webui.py" gpt-sovits-user
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
