Retrieval-Based Voice Conversion WebUI Unsafe Deserialization Vulnerability Allowing Remote Code Execution

A vulnerability exists in Retrieval-Based Voice Conversion WebUI, specifically in versions through 2.2.231006, due to unsafe deserialization that can lead to remote code execution. The issue arises in the 'process_ckpt.py' file, where the 'ckpt_path2' variable accepts user input, such as a model path, and passes it to the 'extract_small_model' function. This function uses 'torch.load' to load the model from the specified path, creating an opportunity for malicious code execution. Similar deserialization vulnerabilities are present in other functions within the same module, as well as in 'export.py' and 'vr.py', all of which can also lead to remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the application is running.

Reproduction

To reproduce this vulnerability, upload a malicious model file to a location accessible by the application. Then, use the 'ckpt_path2' variable to reference this file, ensuring it is passed to the 'extract_small_model' function in 'process_ckpt.py'. The 'torch.load' function will deserialize the model, executing any embedded malicious code. This vulnerability can also be reproduced by referencing the malicious file in the 'change_info_' function, which evaluates the file's contents and executes any included code. Additionally, the 'AudioPre' and 'AudioPreDeEcho' classes in 'vr.py' can be used to trigger the vulnerability by loading the malicious file through 'torch.load' after appending the appropriate model extension.