RVC-Project
Security Review : Many critical and High vulns found including a number of RCE
I used Cursor, Sonnet 4 API and a custom workflow that I created to perform a security review this project. I reviewed the results, and as someone that has been doing security reviews for over a decade, they are valid. The project looked promising but I found a slew of critical vulnerabilities. For some, this might not matter, for others I feel they would want to know. For the Devs, this is a chance to fix the problems. I could enter one issue for each finding, but I'm not going to. ALong with the list is a detailed write up on each vulnerability along with files where the issues were found, line numbers and remediation assistance. I also included a coverage list which is file based, with the vulns for each file listed.
Coverage
Details
NOTE: Some of these are important to remediate, others like lack of authentication or unchecked uploads are less important due to the nature of the app. Some of the pickle ones are concerning, but the industry as a whole has been largly ignoring this one.
Summary:
32 total vulnerabilities found
- CRITICAL (9.0+): 4 findings
- HIGH (7.0-8.9): 12 findings
- MEDIUM (4.0-6.9): 14 findings
- LOW (< 4.0): 2 findings
Security Findings Summary
| Finding Name | ID | CVSS Score | Level | Description |
|---|---|---|---|---|
| Remote Code Execution via eval() | RVC-2025-001 | 9.8 | Critical | eval() function executes arbitrary Python code from log files |
| Command Injection via subprocess | RVC-2025-002 | 9.8 | Critical | shell=True allows arbitrary command execution |
| Unsafe PyTorch Model Deserialization | RVC-2025-003 | 8.8 | High | torch.load() without weights_only vulnerable to CVE-2025-32434 |
| Unsafe Pickle Deserialization | RVC-2025-004 | 8.8 | High | pickle.load() allows arbitrary code execution |
| Complete Lack of Authentication | RVC-2025-005 | 9.1 | Critical | Web interface has no authentication, accessible to anyone |
| Command Injection via os.popen() | RVC-2025-006 | 7.8 | High | os.popen() command execution without validation |
| Unrestricted File Upload Size | RVC-2025-007 | 6.5 | Medium | No max_file_size limits enable DoS attacks |
| Unrestricted File Upload Types | RVC-2025-008 | 7.3 | High | File uploads accept any format without validation |
| Missing Audio File Validation | RVC-2025-009 | 5.3 | Medium | Audio inputs lack format and safety validation |
| Path Traversal in File Processing | RVC-2025-010 | 7.5 | High | Unsafe file path construction allows directory traversal |
| Missing Security Headers | RVC-2025-011 | 6.1 | Medium | No security headers protect against XSS, clickjacking, CSRF |
| Insecure Binary Download and Execution | RVC-2025-012 | 8.3 | High | Downloads and executes external binaries without signature verification |
| Untrusted Fallback Download Sources | RVC-2025-013 | 6.8 | Medium | Uses multiple external sources without cross-validation |
| Path Traversal in File Processing | RVC-2025-014 | 8.1 | High | Directory traversal in voice conversion batch processing |
| Directory Traversal in Batch Processing Interface | RVC-2025-015 | 7.5 | High | Web interface accepts arbitrary directory paths without validation |
| PyTorch Denial of Service Vulnerability | RVC-2025-016 | 5.5 | Medium | PyTorch ctc_loss function vulnerable to DoS attacks (CVE-2025-3730) |
| Insecure PyTorch Loading Configuration | RVC-2025-017 | 7.5 | High | Configuration bypasses PyTorch safety mechanisms |
| Docker Security Misconfigurations | RVC-2025-018 | 6.5 | Medium | Multiple Docker security issues including running as root |
| Environment Variable Security Pattern | RVC-2025-019 | 3.1 | Low | Pattern that could expose secrets if misused |
| Resource Exhaustion via Unlimited Requests | RVC-2025-020 | 6.5 | Medium | No rate limiting or concurrent request controls leading to DoS |
| Insecure Temporary File Handling | RVC-2025-021 | 4.4 | Medium | Predictable temporary directories without secure random names |
| Shared Memory Information Disclosure | RVC-2025-022 | 4.1 | Medium | Shared memory segments without sufficient access controls |
| Information Disclosure via Stack Traces | RVC-2025-023 | 5.3 | Medium | Web interface exposes detailed stack traces and system information |
| Overly Broad Exception Handling | RVC-2025-024 | 3.1 | Low | Broad exception handlers mask security issues and create unpredictable behavior |
| Sensitive Information in Log Files | RVC-2025-025 | 4.3 | Medium | Log files contain sensitive paths, commands, and stack traces |
| Complete Lack of Security Testing Infrastructure | RVC-2025-026 | 7.4 | High | No security testing, static analysis, or vulnerability scanning in development lifecycle |
| Docker Security Misconfigurations | RVC-2025-027 | 6.1 | Medium | Docker container lacks security hardening: root user, no resource limits, missing security updates |
| Missing Security Documentation | RVC-2025-028 | 4.3 | Medium | No SECURITY.md, incident response plan, or security guidelines for contributors |
| Comprehensive File Upload Security Bypass | RVC-2025-029 | 8.1 | High | Multiple file upload components lack validation, size limits, or type restrictions |
| Critical Path Traversal in Directory Input Fields | RVC-2025-030 | 9.1 | Critical | Directory input fields accept arbitrary paths without validation, enabling system-wide file access |
| Model Management Path Injection Vulnerabilities | RVC-2025-031 | 8.5 | High | Model fusion/modification interfaces accept arbitrary file paths without validation |
| Information Disclosure Through Exception Handling | RVC-2025-032 | 5.3 | Medium | Exception handling exposes full stack traces to users through web interface |
vulnerabilities should not be reported publicly, Github has a specific section for that.
also this is a local use program, to have any vulnerability of this type you should expose your session to the public and when you do that you know what you expose yourself to.
'Github has a specific section for that.' Thats news to me.
You are correct, this is a local application, but some of the RCE and pickle related ones you should absolutely be concerned with. Couple that with this one. It pulls code from the intenet and executes it.
Finding : Insecure Binary Download and Execution
ID : RVC-2025-012
Overview
The model download system downloads and executes external binaries without proper integrity verification, allowing potential supply chain attacks through compromised binaries.
Details
- Filename : infer/lib/rvcmd.py
- Lines : 197, 205, 209, 228
- CVSS Risk score: 8.3 HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N - MITRE Category : Supply Chain Attack / CWE-494
- core problem: Downloads external binary from GitHub/GitCode and executes it without signature verification
- code extract:
# Downloads rvcmd binary from external source
RVCMD_URL = BASE_URL + f"v{version}/rvcmd_{system_type}_{architecture}.{suffix}"
download_and_extract_zip(RVCMD_URL, tmpdir)
os.chmod(cmdfile, 0o755) # Makes binary executable
subprocess.run([cmdfile, "-notui", "-w", "0", "assets/rvc"]) # Executes downloaded binary
- remediation : Implement binary signature verification, use cryptographic hashes for binaries, consider bundling trusted binaries, or implement sandbox execution for downloaded binaries.
I recommend deleting this issue and doing it through the appropriate channel in the appropriate way
Instead of creating an issue in an abandoned project, I think they would appreciate a PR more directly