AVID-2026-R1505

Description

fishaudio/Bert-VITS2 Command Injection in webui_preprocess.py bert_gen function (CVE-2024-39686)

Details

Bert-VITS2 is the VITS2 Backbone with multilingual bert. User input supplied to the data_dir variable is used directly in a command executed with subprocess.run(cmd, shell=True) in the bert_gen function, which leads to arbitrary command execution. This affects fishaudio/Bert-VITS2 2.3 and earlier.

Reason for inclusion in AVID: CVE-2024-39686 describes an OS command injection in Bert-VITS2 (webui_preprocess.py bert_gen) where untrusted user input is used in a shell command via subprocess.run, enabling arbitrary code execution. This is a software vulnerability in an AI model/tooling package that sits in the AI software stack, with high impact. The report provides explicit evidence of the vulnerability and affected version(s). Therefore it is relevant for AVID curation as a software supply-chain vulnerability in general-purpose AI systems.

References

• NVD entry
• https://securitylab.github.com/advisories/GHSL-2024-045_GHSL-2024-047_fishaudio_Bert-VITS2/
• https://github.com/fishaudio/Bert-VITS2/blob/3f8c537f4aeb281df3fb3c455eed9a1b64871a81/webui_preprocess.py#L82C9-L82C57
• https://github.com/fishaudio/Bert-VITS2/blob/76653b5b6d657143721df2ed6c5c246b4b1d9277/webui_preprocess.py#L130-L133

Affected or Relevant Artifacts

• Developer: FishAudio
• Deployer: FishAudio
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-07-22
• Version: 0.3.3
• AVID Entry