Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in fishaudio Bert-VITS2 up to 8f7fbd8c4770965225d258db548da27dc8dd934c. The impacted element is the function generate_config of the file webui_preprocess.py of the component Gradio Interface. Such manipulation of the argument data_dir leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Path traversal in fishaudio Bert-VITS2's Gradio web interface allows remote unauthenticated attackers to read or write arbitrary files on the server filesystem via the generate_config function's data_dir parameter. Public exploit code exists (disclosed via VulDB and GitHub Gist). EPSS data unavailable; CVSS 5.5 (Medium) but CVSS 4.0 vector shows network-accessible, no authentication required (AV:N/PR:N), making this readily exploitable against any internet-exposed instance. Vendor non-responsive to early disclosure attempt, indicating no official patch available.
Technical ContextAI
Bert-VITS2 is a voice cloning and text-to-speech system using BERT models and VITS2 architecture, exposing functionality via a Gradio web interface. The vulnerability resides in webui_preprocess.py's generate_config function, which processes user-supplied data_dir parameters without proper path validation (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). The Gradio framework provides HTTP endpoints for model preprocessing tasks, and insufficient input sanitization allows attackers to inject path traversal sequences (e.g., '../../../etc/passwd') to escape intended directory boundaries. The CVSS vector VC:L/VI:L/VA:L indicates limited confidentiality, integrity, and availability impacts, suggesting partial file access rather than full system compromise, though exact impact depends on filesystem permissions of the Gradio process.
RemediationAI
No vendor-released patch identified at time of analysis-maintainer did not respond to early disclosure. Users must apply community-sourced mitigations or downstream forks with fixes. Immediate action: review GitHub repository commits after 8f7fbd8c4770965225d258db548da27dc8dd934c for path validation improvements in webui_preprocess.py; apply any available sanitization patches from community forks. Specific compensating controls: (1) Restrict Gradio interface to localhost only (bind to 127.0.0.1) if remote access not required-eliminates network attack vector but breaks legitimate remote use cases. (2) Deploy reverse proxy (nginx/Apache) with strict input validation on data_dir parameters to reject '../' sequences-requires regex tuning to avoid breaking valid relative paths. (3) Run Gradio process under a dedicated low-privilege user with chroot jail or containerization (Docker with read-only root filesystem)-limits file access scope but requires infrastructure changes. (4) Implement Web Application Firewall rules to block requests containing path traversal patterns-may trigger false positives on legitimate filenames. Each mitigation trades functionality or deployment complexity against risk reduction. Monitor upstream repository (https://github.com/fishaudio/Bert-VITS2) for official fixes post-disclosure.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30702
GHSA-g26q-578c-pc62