CosyVoice Insecure Deserialization Vulnerability in gRPC Server Component

A vulnerability allowing insecure deserialization has been identified in CosyVoice, specifically in the gRPC server component. This issue arises because the application loads the speech synthesis model from a user-specified directory using torch.load() without enabling the weights_only=True security parameter. As a result, arbitrary Python objects can be deserialized via the pickle module. An attacker could exploit this vulnerability by placing malicious model files in the designated directory. When the gRPC server is started with this directory, the malicious code is executed on the victim's system during the server's initialization phase.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the victim's system.

Reproduction

To reproduce this vulnerability, upload a malicious model file that exploits the insecure deserialization into a directory. Start the CosyVoice gRPC server and point it to the directory containing the malicious model file. During the server initialization, the malicious code will be executed, demonstrating the vulnerability.