CVE-2025-43849 | RVC-Project Retrieval-based-Voice-Conversion-WebUI up to 2.2.231006 process_ckpt.py merge ckpt_a/cpkt_b deserialization (GHSL-2025-012)

Inserito da Angelo Barbosa | Mag 5, 2025 | CVE

A vulnerability classified as very critical has been found in RVC-Project Retrieval-based-Voice-Conversion-WebUI up to 2.2.231006. Affected is the function merge of the file process_ckpt.py. The manipulation of the argument ckpt_a/cpkt_b leads to deserialization.

This vulnerability is traded as CVE-2025-43849. It is possible to launch the attack remotely. There is no exploit available.

CVE-2025-43849 | RVC-Project Retrieval-based-Voice-Conversion-WebUI up to 2.2.231006 process_ckpt.py merge ckpt_a/cpkt_b deserialization (GHSL-2025-012)

Post correlati

CVE-2024-31670 | rizin up to 0.6.2 dyldcache.c buffer overflow

CVE-2024-41309 | Enjay IT Solutions CRM OS 1.0 Restricted Terminal sandbox

CVE-2024-43854 | Linux Kernel up to 6.1.102/6.6.43/6.10.2 block bio_integrity_prep initialization

CVE-2025-46559 | misskey up to 2025.2.1 Mk:api path traversal