Description
CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its make_parquet_list.py data processing tool. The script loads PyTorch .pt files (utterance embeddings, speaker embeddings, speech tokens) using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious .pt files within a data directory. When a victim processes this directory using the tool, arbitrary code is executed on the victim's system.
Published: 2026-05-11
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CosyVoice’s data processing tool make_parquet_list.py performs insecure deserialization by loading PyTorch .pt files with torch.load() without setting the secure parameter weights_only=True, exposing the pickle module to arbitrary Python object reconstruction (CWE‑502). When a malicious .pt file is deserialized, the pickle payload can execute arbitrary code in the context of the user running the tool, leading to full system compromise.

Affected Systems

All CosyVoice users who run make_parquet_list.py on directories containing untrusted .pt files and are still using the codebase up to commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (released 2025‑30‑21). No specific vendors are listed; the risk applies to any deployment of the affected version.

Risk and Exploitability

An attacker can trigger the flaw by placing a crafted .pt file in a data directory processed by the script. Local or application‑controlled file system write access is required to supply the malicious file. The CVSS score of 7.3 indicates a high severity; the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. Although the vulnerability is not yet in the CISA KEV catalog, the potential for arbitrary code execution warrants prompt remediation.

Generated by OpenCVE AI on May 12, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CosyVoice to a commit that enables weights_only=True in torch.load or otherwise patches the deserialization path.
  • Run the tool inside a restricted sandbox or container that limits file system access and process capabilities.
  • Validate or whitelist the directory of .pt files before processing, and verify integrity with cryptographic checksums to ensure only trusted files are present.
  • Consider replacing torch.load() with a safer deserialization method or adding logic that blocks arbitrary object loading.

Generated by OpenCVE AI on May 12, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization in CosyVoice make_parquet_list.py Allows Arbitrary Code Execution

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Funaudiollm
Funaudiollm cosyvoice
Vendors & Products Funaudiollm
Funaudiollm cosyvoice

Mon, 11 May 2026 18:00:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization in CosyVoice make_parquet_list.py Allows Arbitrary Code Execution
Weaknesses CWE-502

Mon, 11 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its make_parquet_list.py data processing tool. The script loads PyTorch .pt files (utterance embeddings, speaker embeddings, speech tokens) using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious .pt files within a data directory. When a victim processes this directory using the tool, arbitrary code is executed on the victim's system.
References

Subscriptions

Funaudiollm Cosyvoice
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-12T17:52:43.135Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31249

cve-icon Vulnrichment

Updated: 2026-05-12T17:52:37.213Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T17:16:19.820

Modified: 2026-05-12T18:16:53.120

Link: CVE-2026-31249

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:30:05Z

Weaknesses