CVE-2026-31249

Name of the Vulnerable Software and Affected Versions CosyVoice versions prior to commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e

Description The make parquet list.py data processing tool is subject to insecure deserialization. The script utilizes the torch.load() function to load PyTorch .pt files, including utterance embeddings, speaker embeddings, and speech tokens, without enabling the weights only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can execute arbitrary code on a system by providing malicious .pt files within a data directory that is then processed by the tool.

Recommendations Update to a version of CosyVoice beyond commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e.