{"data":{"id":"1b2ff960-60c3-450a-8bd5-4e029ed516c8","title":"CVE-2025-43846: Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vu","summary":"Retrieval-based-Voice-Conversion-WebUI, a voice changing tool based on VITS (a voice synthesis model), has a vulnerability in versions 2.2.231006 and earlier where user-supplied file paths are loaded directly using torch.load (a function that can execute code when loading files), allowing attackers to run arbitrary code on the system. This happens because the ckpt_path1 variable accepts untrusted input and passes it unsafely to a model-loading function.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-43846","publishedAt":"2025-05-05T18:15:42.430Z","cveId":"CVE-2025-43846","cweIds":["CWE-502"],"cvssScore":"9.8","cvssSeverity":"critical","severity":"critical","attackType":["model_theft"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["Retrieval-based-Voice-Conversion-WebUI","RVC-Project"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.06018,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-586"],"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"model","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}