RVC-Boss GPT-SoVITS-WebUI Command Injection Vulnerability in Audio Processing Functions

A command injection vulnerability has been identified in the RVC-Boss GPT-SoVITS-WebUI project, specifically in versions through 20250228v3. The issue arises in the 'webui.py' file within several functions related to audio processing and transcription. User input is not properly sanitized before being concatenated into command strings and executed on the server, allowing for arbitrary command execution. This vulnerability affects the 'open_slice', 'open_denoise', 'open_asr', and 'change_label' functions, all of which can be exploited by manipulating the corresponding input parameters.

Impact

Exploitation of this vulnerability could lead to arbitrary command execution on the server where GPT-SoVITS-WebUI is running.

Reproduction

To reproduce this vulnerability, input can be provided to the 'open_asr' function that is not properly sanitized. This input will be concatenated into a command and executed on the server, allowing for arbitrary command execution. Similar exploitation can be done through the 'open_slice', 'open_denoise', and 'change_label' functions by manipulating the respective input parameters.