CosyVoice Insecure Deserialization Vulnerability Allowing Arbitrary Code Execution

A vulnerability allowing insecure deserialization has been identified in CosyVoice, specifically in the model loading component. This issue arises because the framework uses torch.load() to load model weight files, such as llm.pt, flow.pt, and hift.pt, without activating the security-restrictive weights_only=True parameter. As a result, arbitrary Python objects can be deserialized using the pickle module. An attacker could exploit this vulnerability by supplying a malicious model directory with specially crafted model files. When the CosyVoice Web UI is directed to this directory, the malicious code is executed on the victim's system during the model loading process.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the victim's system.

Reproduction

To reproduce this vulnerability, create a model directory containing maliciously crafted model files designed to exploit the insecure deserialization. Then, start the CosyVoice Web UI and point it to the directory with the malicious model files. During the model loading process, the arbitrary code will be executed on the system.