Security: torch.load uses weights_only=False for voice .pt files #452
Description
Summary
Voice tensor loading via torch.load() uses the default weights_only=False, which enables arbitrary code execution through crafted pickle payloads in .pt files. PyTorch explicitly warns about this in their documentation.
Affected Code
api/src/core/paths.py—load_voice_tensor()callstorch.load(io.BytesIO(data), map_location=device, weights_only=weights_only)whereweights_onlydefaults toFalseapi/src/services/tts_service.pyline ~191 —torch.load(path, map_location="cpu")with noweights_onlyparameter
Note: load_model_weights() in paths.py correctly uses weights_only=True — the voice loading paths should match.
Impact
If a malicious .pt voice file is introduced (e.g., via supply chain compromise of the Docker image, or if voice files are user-provided), the pickle deserializer will execute arbitrary Python code embedded in the file.
Suggested Fix
Set weights_only=True on all torch.load() calls for voice tensors. Voice .pt files contain simple tensors and do not require pickle deserialization:
# In paths.py load_voice_tensor()
torch.load(io.BytesIO(data), map_location=device, weights_only=True)
# In tts_service.py _get_voice_path()
torch.load(path, map_location="cpu", weights_only=True)Environment
- Image:
ghcr.io/remsky/kokoro-fastapi-cpu:v0.2.0post4 - PyTorch version: as shipped in the image