Description
CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its average_model.py model averaging tool. The script loads PyTorch checkpoint files (epoch_*.pt) for model averaging using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious checkpoint files within a directory. When a victim uses the tool to average models from this directory, arbitrary code is executed on the victim's system.
Published: 2026-05-11
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CosyVoice’s average_model.py contains an insecure deserialization flaw. The script loads PyTorch checkpoint files with torch.load() without setting weights_only=True, allowing pickle to deserialize arbitrary Python objects. This flaw turns the model‑averaging process into an arbitrary code execution vector when a malicious checkpoint file is present in the directory being processed.

Affected Systems

The vulnerability affects the CosyVoice repository at commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e. Any deployment of the average_model.py script that processes checkpoints in a directory is susceptible, regardless of the scale of model averaging. No other third‑party vendors are listed.

Risk and Exploitability

The CVSS score of 7.3 indicates high risk, and the EPSS score of <1% reflects that exploitation is unlikely but plausible. The vulnerability is not listed in the CISA KEV catalog. Because an attacker can supply a malicious checkpoint file to the average_model.py script, any run of the tool with untrusted input allows arbitrary code execution. The exploit path requires the attacker to place the malicious checkpoint in the directory processed by the tool; no additional privileges are needed beyond executing the script.

Generated by OpenCVE AI on May 12, 2026 at 22:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of CosyVoice that disables insecure deserialization in average_model.py
  • If upgrading immediately is not possible, modify the script to call torch.load() with weights_only=True to prevent loading arbitrary objects
  • Ensure that only trusted checkpoints are placed in the directory processed by average_model.py; remove any unverified or third‑party checkpoint files before running the tool

Generated by OpenCVE AI on May 12, 2026 at 22:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 22:30:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization in CosyVoice Model Averaging Tool Permits Arbitrary Code Execution

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Funaudiollm
Funaudiollm cosyvoice
Vendors & Products Funaudiollm
Funaudiollm cosyvoice

Mon, 11 May 2026 18:00:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization in CosyVoice Model Averaging Tool Permits Arbitrary Code Execution
Weaknesses CWE-502

Mon, 11 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its average_model.py model averaging tool. The script loads PyTorch checkpoint files (epoch_*.pt) for model averaging using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious checkpoint files within a directory. When a victim uses the tool to average models from this directory, arbitrary code is executed on the victim's system.
References

Subscriptions

Funaudiollm Cosyvoice
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-12T19:05:45.515Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31250

cve-icon Vulnrichment

Updated: 2026-05-12T19:05:35.594Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T17:16:19.950

Modified: 2026-05-12T20:16:33.087

Link: CVE-2026-31250

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:15:25Z

Weaknesses