Description
The CosyVoice project thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading process. When loading model files (.pt) from a user-specified directory (via the --model_dir argument), the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by providing a maliciously crafted model directory containing .pt files with embedded pickle payloads. When a victim loads this directory using CosyVoice's web interface, the malicious payload is executed, leading to remote code execution on the victim's system.
Published: 2026-05-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CosyVoice project included an insecure deserialization flaw in its model loading routine. When a user supplies a directory via the --model_dir flag, the code calls torch.load() without enabling the safety feature weights_only=True, allowing arbitrary Python objects to be deserialized through the Pickle module. An attacker can place a maliciously crafted .pt file containing a pickle payload in the target directory; when the victim loads the directory through the web interface, the payload is executed, resulting in remote code execution on the victim's machine.

Affected Systems

CosyVoice, version associated with commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e

Risk and Exploitability

The vulnerability is a classic insecure deserialization flaw, classified as CWE‑502, and can lead to system‑wide compromise. The CVSS score of 8.8 categorizes it as high severity. The EPSS score of <1% indicates a very low but non‑zero probability of exploitation. It is not listed in CISA KEV. Because the code deserializes arbitrary Python objects from user‑supplied .pt files via torch.load() without the security‑restrictive weights_only=True parameter, an attacker can trigger remote code execution by placing a malicious payload in a model directory that a victim loads through CosyVoice’s web interface. The attack vector appears local to the web interface accepting model directories, but anyone who can supply such a directory can exploit the flaw.

Generated by OpenCVE AI on May 14, 2026 at 22:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict model loading to trusted directories and validate all uploaded .pt files
  • Update CosyVoice to a version that enforces weights_only=True in torch.load or apply a patch that does so
  • If an update is unavailable, do not use the web interface for loading untrusted model files and restrict access to the --model_dir functionality to administrators alone

Generated by OpenCVE AI on May 14, 2026 at 22:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization in CosyVoice Model Loading Enables Remote Code Execution

Thu, 14 May 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-502
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Funaudiollm
Funaudiollm cosyvoice
Vendors & Products Funaudiollm
Funaudiollm cosyvoice

Tue, 12 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization in CosyVoice Model Loading Enables Remote Code Execution

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description The CosyVoice project thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading process. When loading model files (.pt) from a user-specified directory (via the --model_dir argument), the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by providing a maliciously crafted model directory containing .pt files with embedded pickle payloads. When a victim loads this directory using CosyVoice's web interface, the malicious payload is executed, leading to remote code execution on the victim's system.
References

Subscriptions

Funaudiollm Cosyvoice
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-14T19:55:02.845Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31232

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T18:16:51.507

Modified: 2026-05-14T20:17:02.427

Link: CVE-2026-31232

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T22:30:25Z

Weaknesses