### Key Vulnerability Information #### Vulnerability IDs - GHSL-2025-012 - GHSL-2025-022 - CVE-2025-43842 - CVE-2025-43852 #### Vulnerability Types - Command Injection - Code Injection - Deserialization of Untrusted Data #### Impact - These vulnerabilities could lead to arbitrary command execution and remote code execution. #### CWEs - CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') - CWE-94: Improper Control of Generation of Code ('Code Injection') - CWE-502: Deserialization of Untrusted Data #### Vulnerability Details 1. **Command Injection in `infer-web.py extract_ff_feature` function** - Variables `exp_dir`, `spk`, and `text_dir` are user-supplied inputs passed to the `extract_ff_feature` function, which concatenates them into a command executed on the server. This could lead to arbitrary command execution. 2. **Command Injection in `infer-web.py change_info` function** - Variable `ckpt_path` is user-supplied and passed to the `change_info` function, which opens and reads the file path and modifies its contents. This could lead to remote code execution. 3. **Deserialization of Untrusted Data in Multiple Functions** - Multiple functions such as `show_info`, `extract_snail_model`, `change_info`, `merge`, `AudioPreprocess`, etc., use user-supplied paths to load models or process files, which could result in deserialization of untrusted data, potentially leading to remote code execution. #### Disclosure Timeline - 2025-05-20: Issue #16 created to request contributor contact for security disclosure. - 2025-07-25: Received response from one contributor confirming the repository is not fully active. - 2025-07-26: Attempted to contact again to enable private vulnerability reporting on GitHub. - 2025-04-23: GitHub Security Lab assigned CVEs under the 90-day disclosure policy. ``` This summary captures key vulnerability information extracted from the web page screenshot, including vulnerability IDs, types, impact, CWE classifications, detailed vulnerability descriptions, and disclosure timeline.