Primary

Context

GPT-SoVITS-WebUI Command Injection Vulnerability in Change_Label Function

Vulnerability

A command injection vulnerability has been identified in GPT-SoVITS-WebUI, specifically in versions through 20250228v3. The issue arises in the webui.py file, within the change_label function. User input from the path_list variable is improperly sanitized and concatenated into a command that is executed on the server. This flaw allows for arbitrary command execution.

Impact

Exploitation of this vulnerability could lead to arbitrary command execution on the server where GPT-SoVITS-WebUI is running.

Reproduction

To reproduce this vulnerability, input a crafted path list into the change_label function. The input is not properly sanitized, allowing for the injection of malicious commands that will be executed on the server.

Added: Jul 16, 2025, 12:16 AM

Updated: Jul 16, 2025, 12:16 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

8.7

remediation

0.0

relevance

0.2

threat

6.5

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

8.7

remediation

0.0

relevance

0.2

threat

6.5

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GPT-SoVITS-WebUI Command Injection Vulnerability in Change_Label Function

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating