Description
CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading component. The framework uses torch.load() to load model weight files (e.g., llm.pt, flow.pt, hift.pt) without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a malicious model directory containing specially crafted model files. When a victim starts the CosyVoice Web UI pointing to this directory, arbitrary code is executed on the victim's system during the model loading process.
Published: 2026-05-11
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CosyVoice uses torch.load() to import model weight files without enabling the security‑restrictive weights_only=True flag, permitting arbitrary Python objects to be deserialized through the pickle module. An attacker can craft a malicious model directory containing specially crafted files that, when loaded by the CosyVoice Web UI, execute arbitrary code on the victim’s system.

Affected Systems

The vulnerability exists in CosyVoice builds up to and including commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025‑30‑21). Systems running CosyVoice without applying a newer commit that enables weights_only=True are impacted.

Risk and Exploitability

The EPSS score is <1%, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 5.7 indicates moderate severity. However, the impact remains high because execution of arbitrary code is possible whenever a user loads a model from a directory controlled by a malicious actor. The risk remains significant, and the exploitability is likely high when the CosyVoice Web UI is accessible in an environment where an attacker can supply a model directory.

Generated by OpenCVE AI on May 12, 2026 at 23:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CosyVoice to a version past commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e that enforces weights_only=True for torch.load()
  • Ensure that all model loading operations set weights_only=True to prevent arbitrary deserialization
  • Avoid placing untrusted model files in directories that are referenced by the CosyVoice Web UI

Generated by OpenCVE AI on May 12, 2026 at 23:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 00:00:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization in CosyVoice Model Loading Allows Arbitrary Code Execution

Tue, 12 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title Uncontrolled Deserialization Leading to Arbitrary Code Execution in CosyVoice Model Loading
Weaknesses CWE-502

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
CWE-94
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Funaudiollm
Funaudiollm cosyvoice
Vendors & Products Funaudiollm
Funaudiollm cosyvoice

Mon, 11 May 2026 18:00:00 +0000

Type Values Removed Values Added
Title Uncontrolled Deserialization Leading to Arbitrary Code Execution in CosyVoice Model Loading
Weaknesses CWE-502

Mon, 11 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading component. The framework uses torch.load() to load model weight files (e.g., llm.pt, flow.pt, hift.pt) without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a malicious model directory containing specially crafted model files. When a victim starts the CosyVoice Web UI pointing to this directory, arbitrary code is executed on the victim's system during the model loading process.
References

Subscriptions

Funaudiollm Cosyvoice
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-12T19:27:25.710Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31252

cve-icon Vulnrichment

Updated: 2026-05-12T19:26:56.620Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T17:16:20.187

Modified: 2026-05-12T20:16:33.910

Link: CVE-2026-31252

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:45:25Z

Weaknesses