GHSL-2025-048: GPT-SoVITS Command Injection vulnerability

GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in webui.py change_label function. path_list takes user input, which is passed to the change_label function, which concatenates the user input into a command and runs it on the server, leading to arbitrary command execution. At time of publication, no known patched versions are available.

N/A

在命令中使用的特殊元素转义处理不恰当(命令注入)

GPT-SoVITS-WebUI 命令注入漏洞

GPT-SoVITS-WebUI是RVC-Boss个人开发者的一个TTS训练模型。 GPT-SoVITS-WebUI 20250228v3及之前版本存在命令注入漏洞，该漏洞源于change_label函数存在命令注入，可能导致执行任意代码。

N/A

N/A