Description
CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its gRPC server component. When the server starts, it loads the speech synthesis model from a user-specified directory using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious model files within a directory. When a victim starts the gRPC server pointing to this directory, arbitrary code is executed on the victim's system during server initialization.
Published: 2026-05-11
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CosyVoice gRPC server contains an insecure deserialization flaw. When the server starts, it loads a speech synthesis model from a user‑specified directory using torch.load() without setting the weights_only=True security flag. Because torch.load() deserializes arbitrary Python objects via the pickle module, an attacker can place malicious model files in that directory. During server startup the payload is executed, giving the attacker arbitrary code execution on the victim’s machine. This flaw involves insecure deserialization, which aligns with CWE‑20, CWE‑915, and CWE‑94, and results in full compromise of the host system.

Affected Systems

The affected product is the CosyVoice project hosted on GitHub. The vulnerability exists in commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (dated 2025‑30‑21). Users running the gRPC server with a model directory that can be controlled by an attacker are impacted. No other vendors or versions are currently listed as affected.

Risk and Exploitability

The EPSS score is < 1% and the vulnerability has a CVSS score of 7.3. The vulnerability is not listed in CISA’s KEV catalog. The exploit requires the victim to start the gRPC server pointing to a directory that an attacker can place malicious files in. An attacker who can influence the model path – for example by compromising a configuration file or a locally running user – can trigger the payload. The risk rises if the server is exposed to untrusted input or used in an environment where users can specify the model directory, thereby allowing local code execution during initialization.

Generated by OpenCVE AI on May 12, 2026 at 23:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Do not allow untrusted users to specify the model directory; restrict access to trusted directories only.
  • Update to a CosyVoice version that enables the weights_only=True flag in torch.load() or otherwise prevents arbitrary deserialization.
  • If no patch is available, modify the code to add the weights_only=True flag to torch.load() or replace it with a safer loading mechanism before starting the server.

Generated by OpenCVE AI on May 12, 2026 at 23:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 00:00:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization in CosyVoice gRPC Server Enables Remote Code Execution

Tue, 12 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization Enables Remote Code Execution in CosyVoice gRPC Server
Weaknesses CWE-502

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-915
CWE-94
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Funaudiollm
Funaudiollm cosyvoice
Vendors & Products Funaudiollm
Funaudiollm cosyvoice

Mon, 11 May 2026 18:00:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization Enables Remote Code Execution in CosyVoice gRPC Server
Weaknesses CWE-502

Mon, 11 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its gRPC server component. When the server starts, it loads the speech synthesis model from a user-specified directory using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious model files within a directory. When a victim starts the gRPC server pointing to this directory, arbitrary code is executed on the victim's system during server initialization.
References

Subscriptions

Funaudiollm Cosyvoice
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-12T19:13:25.293Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31251

cve-icon Vulnrichment

Updated: 2026-05-12T19:09:34.021Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T17:16:20.070

Modified: 2026-05-12T20:16:33.700

Link: CVE-2026-31251

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:45:25Z

Weaknesses