Vulnerability Description
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, np7 and f0method8 take user input and pass it into the extract_f0_feature function, which concatenates them into a command that is run on the server. This can lead to arbitrary command execution. As of time of publication, no known patches exist.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rvc-Project | Retrieval-Based-Voice-Conversion-Webui | <= 2.2.231006 |
Related Weaknesses (CWE)
References
- https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19Product
- https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19Product
- https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19Product
- https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19Product
- https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19Product
- https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19Product
- https://securitylab.github.com/advisories/GHSL-2025-012_GHSL-2025-022_Retrieval-Vendor Advisory
FAQ
What is CVE-2025-43843?
CVE-2025-43843 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, np7 and f0method8 take us...
How severe is CVE-2025-43843?
CVE-2025-43843 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-43843?
Check the references section above for vendor advisories and patch information. Affected products include: Rvc-Project Retrieval-Based-Voice-Conversion-Webui.