CVE-2025-49837: GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe de
criticalvulnerability
security
Summary
GPT-SoVITS-WebUI, a tool for converting voices and generating speech from text, has an unsafe deserialization vulnerability (a flaw where untrusted data is converted back into code objects, potentially allowing attackers to run malicious code) in versions 20250228v3 and earlier. The vulnerability occurs because user-supplied file paths are directly passed to torch.load, a function that can execute arbitrary code during the deserialization process.
Vulnerability Details
CVSS Score
9.8(critical)
EPSS (30-day exploit probability)
EPSS: 0.2%
Classification
Attack Type
Model Poisoning
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-49837
First tracked: February 15, 2026 at 08:53 PM
Classified by LLM (prompt v3) · confidence: 92%