Full Report
Cybersecurity researchers have disclosed details of a critical security flaw impacting LeRobot, Hugging Face's open-source robotics platform with nearly 24,000 GitHub stars, that could be exploited to achieve remote code execution. The vulnerability in question is CVE-2026-25874 (CVSS score: 9.3), which has been described as a case of untrusted data deserialization stemming from the use of the
Analysis Summary
# Vulnerability: Critical Unauthenticated RCE in Hugging Face LeRobot
## CVE Details
- **CVE ID:** CVE-2026-25874
- **CVSS Score:** 9.3 (Critical)
- **CWE:** CWE-502: Deserialization of Untrusted Data
## Affected Systems
- **Products:** Hugging Face LeRobot (Open-source robotics platform)
- **Versions:** Confirmed on version 0.4.3 (impacts prior versions using the async inference pipeline).
- **Configurations:** Systems running the `PolicyServer` component or robot clients using the async inference pipeline over unauthenticated gRPC channels without TLS.
## Vulnerability Description
The vulnerability exists in LeRobot's async inference pipeline due to the use of the unsafe `pickle` library for data serialization. Specifically, the application calls `pickle.loads()` on data received over unauthenticated gRPC channels. Attackers can leverage this by sending a specially crafted malicious pickle payload through gRPC calls such as `SendPolicyInstructions`, `SendObservations`, or `GetActions`. Because `pickle` can be manipulated to execute arbitrary python code upon deserialization, this leads to Remote Code Execution (RCE).
Reports indicate the developers were aware of the risk but used `# nosec` comments to bypass automated security scanning tools (Bandit) during the experimental phase of the project.
## Exploitation
- **Status:** POC available (Validated by researchers); independently reported as early as December 2025.
- **Complexity:** Low
- **Attack Vector:** Network (Unauthenticated)
## Impact
- **Confidentiality:** High (Theft of API keys, SSH credentials, and model files)
- **Integrity:** High (Ability to corrupt models, sabotage operations, and run arbitrary OS commands)
- **Availability:** High (Ability to crash services or disable connected robotic hardware)
## Remediation
### Patches
- **Planned Fix:** A patch is scheduled for release in **LeRobot version 0.6.0**. Users should monitor the official GitHub repository for this release.
### Workarounds
- **Disable Network Access:** Ensure the `PolicyServer` is not exposed to the public internet or untrusted internal networks.
- **Implement Access Control:** Use firewalls or VPC security groups to restrict gRPC port access to known, trusted IP addresses only.
- **Enable TLS:** Force the use of TLS for gRPC communications where possible to prevent man-in-the-middle payload injection, though this does not fix the underlying deserialization flaw.
## Detection
- **Indicators of Compromise:** Unusual OS commands executed by the user account running the LeRobot service; unexpected outbound network connections from the `PolicyServer` host.
- **Detection methods and tools:**
- Monitor gRPC traffic for unusually large or malformed payloads targeting the `SendPolicyInstructions`, `SendObservations`, or `GetActions` methods.
- Use static analysis tools to search for `pickle.loads()` or `pickle.load()` calls in the codebase, particularly those marked with `# nosec`.
## References
- **GitHub Advisory:** hxxps[://]github[.]com/advisories/GHSA-f7vj-73pm-m822
- **Researcher Write-up:** hxxps[://]chocapikk[.]com/posts/2026/lerobot-pickle-rce/
- **Issue Tracker:** hxxps[://]github[.]com/huggingface/lerobot/issues/3047
- **Project Repository:** hxxps[://]github[.]com/huggingface/lerobot