CVE-2025-43848: Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vu
criticalvulnerability
security
Summary
Retrieval-based-Voice-Conversion-WebUI, a voice-changing tool, has a vulnerability in versions 2.2.231006 and earlier where user input for model file paths is passed unsafely to torch.load (a function that loads saved AI models). This unsafe deserialization (loading data from untrusted sources without checking it first) can allow attackers to run arbitrary code on the system.
Vulnerability Details
CVSS Score
9.8(critical)
EPSS (30-day exploit probability)
EPSS: 6.0%
Classification
Attack Type
Model Theft
Attack SophisticationTrivial
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-43848
First tracked: February 15, 2026 at 08:53 PM
Classified by LLM (prompt v3) · confidence: 95%