CVE-2024-39686 — AI Deep Analysis Summary

🚨 **Essence**: Arbitrary Command Execution in Bert-VITS2 v2.3. 💥 **Consequences**: Attackers can run malicious system commands, leading to total server compromise, data theft, or service disruption.

🛡️ **Root Cause**: CWE-78 (OS Command Injection). The flaw lies in `webui_preprocess.py`, where user inputs are likely passed directly to system shells without proper sanitization.

👥 **Affected**: Users running **Bert-VITS2 version 2.3**. Specifically, the FishAudio open-source TTS model backbone. Check your local installation version.

🔓 **Hacker Power**: Full arbitrary command execution. They gain the same privileges as the application user. Can read/write files, install backdoors, or pivot to other network assets.

🔑 **Threshold**: **LOW**. CVSS Vector shows `AV:N` (Network), `AC:L` (Low Complexity), `PR:N` (No Privileges Needed), `UI:N` (No User Interaction). Remote, anonymous exploitation is possible.

📢 **Public Exp?**: Yes, referenced in GHSL Advisory (GHSL-2024-045). While no specific `.py` exploit script is in the `pocs` list, the vulnerability details and code paths are publicly disclosed.

🔍 **Self-Check**: Scan for `webui_preprocess.py` in your Bert-VITS2 directory. Look for unsanitized inputs passed to `os.system()`, `subprocess`, or similar shell execution functions around lines 82 and 130.

🩹 **Official Fix**: Yes. The vendor (FishAudio) and security researchers (GHSL) have disclosed the issue. Check the official GitHub repository for updates or patches post-July 2024.

🚧 **No Patch?**: **Isolate immediately**. Do not expose the web UI to the internet. If internal only, restrict network access. Manually audit `webui_preprocess.py` to remove unsafe command calls.

🔥 **Urgency**: **CRITICAL**. CVSS Score is **9.8** (High). With no auth required and easy exploitation, patch or mitigate immediately to prevent remote code execution.