CVE-2026-31232 - Vulnerability Details

Description

The CosyVoice project thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading process. When loading model files (.pt) from a user-specified directory (via the --model_dir argument), the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by providing a maliciously crafted model directory containing .pt files with embedded pickle payloads. When a victim loads this directory using CosyVoice's web interface, the malicious payload is executed, leading to remote code execution on the victim's system.

Published: 2026-05-12

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The CosyVoice project included an insecure deserialization flaw in its model loading routine. When a user supplies a directory via the --model_dir flag, the code calls torch.load() without enabling the safety feature weights_only=True, allowing arbitrary Python objects to be deserialized through the Pickle module. An attacker can place a maliciously crafted .pt file containing a pickle payload in the target directory; when the victim loads the directory through the web interface, the payload is executed, resulting in remote code execution on the victim's machine.

Affected Systems

CosyVoice, version associated with commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e

Risk and Exploitability

The vulnerability is a classic insecure deserialization, identified as CWE‑502, and has the potential for full system compromise. No EPSS score is available, and the vulnerability is not listed in CISA KEV, but the absence of safety checks and the ability to execute arbitrary code make it a high‑severity risk. The attack vector is likely local to the web interface that accepts model directories, but any user with access to supply such a directory can trigger the exploit.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Funaudiollm

Cosyvoice

95%

Version	Status	Scheme	Platform
`6e01309e01bc93bbeb83bdd996b1182a81aaf11e`	affected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Restrict model loading to trusted directories and validate all uploaded .pt files
Update CosyVoice to a version that enforces weights_only=True in torch.load or apply a patch that does so
If an update is unavailable, do not use the web interface for loading untrusted model files and restrict access to the --model_dir functionality to administrators alone

Generated by OpenCVE AI on May 12, 2026 at 18:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/FunAudioLLM/CosyVoice
https://www.notion.so/CVE-2026-31232-35d1e1393188817f869cdcfce13402a8

History

Tue, 12 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Funaudiollm Funaudiollm cosyvoice
Vendors & Products		Funaudiollm Funaudiollm cosyvoice

Tue, 12 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
Title		Insecure Deserialization in CosyVoice Model Loading Enables Remote Code Execution

Tue, 12 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		The CosyVoice project thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading process. When loading model files (.pt) from a user-specified directory (via the --model_dir argument), the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by providing a maliciously crafted model directory containing .pt files with embedded pickle payloads. When a victim loads this directory using CosyVoice's web interface, the malicious payload is executed, leading to remote code execution on the victim's system.
References		https://github.com/FunAudioLLM/CosyVoice https://www.notion.so/CVE-2026-31232-35d1e1393188817f869cdcfce13402a8

Subscriptions

Funaudiollm Cosyvoice

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-12T00:00:00.000Z

Updated: 2026-05-12T17:08:16.567Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31232

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-12T18:16:51.507

Modified: 2026-05-12T18:16:51.507

Link: CVE-2026-31232

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T20:00:12Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object