torch.load of CosyVoice web UI model directoryMITRE service request: 1988584
Status: RESERVED (pending a qualifying public reference per CNA Rules §5.3).
The CosyVoice project thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading process. When loading model files (.pt) from a user-specified directory (via the –model_dir argument), the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by providing a maliciously crafted model directory containing .pt files with embedded pickle payloads. When a victim loads this directory using CosyVoice’s web interface, the malicious payload is executed, leading to remote code execution on the victim’s system.
Running python webui.py --model_dir <path> loads multiple .pt weights through CosyVoice model initializers without weights_only=True. A fake model tree distributed via social engineering executes code when the victim launches the UI.
6e01309e01bc93bbeb83bdd996b1182a81aaf11e.-model_dir pointing at partially attacker-controlled tree (e.g., llm.pt, flow.pt, hift.pt).torch.load defaults to full pickle.High for users downloading voice models from untrusted sources.