Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
GHSL-2025-051: GPT-SoVITS Deserialization of Untrusted Data vulnerability
Vulnerability Description
GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in bsroformer.py. The model_choose variable takes user input (e.g. a path to a model) and passes it to the uvr function. In uvr, a new instance of Roformer_Loader class is created with the model_path attribute containing the aformentioned user input (here called locally model_name). Note that in this step the .ckpt extension is added to the path. In the Roformer_Loader class, the user input, here called model_path, is used to load the model on that path with torch.load, which can lead to unsafe deserialization. At time of publication, no known patched versions are available.
CVSS Information
N/A
Vulnerability Type
可信数据的反序列化
Vulnerability Title
GPT-SoVITS-WebUI 代码问题漏洞
Vulnerability Description
GPT-SoVITS-WebUI是RVC-Boss个人开发者的一个TTS训练模型。 GPT-SoVITS-WebUI 20250228v3及之前版本存在代码问题漏洞,该漏洞源于bsroformer.py存在不安全反序列化,可能导致执行任意代码。
CVSS Information
N/A
Vulnerability Type
N/A