Critical Vulnerability in Hugging Face’s LeRobot Exposes Systems to Remote Code Execution
Cybersecurity experts have recently identified a significant security flaw in LeRobot, Hugging Face’s widely-used open-source robotics platform. This vulnerability, designated as CVE-2026-25874 with a CVSS score of 9.3, allows unauthenticated attackers to execute arbitrary code remotely, posing a severe risk to systems utilizing this platform.
Understanding the Vulnerability
The core of this issue lies in the deserialization of untrusted data within LeRobot’s asynchronous inference pipeline. Specifically, the platform employs the `pickle.loads()` function to deserialize data received over unauthenticated gRPC channels that lack TLS encryption. This practice is inherently unsafe, as it permits attackers to send maliciously crafted pickle payloads through gRPC calls such as `SendPolicyInstructions`, `SendObservations`, or `GetActions`. By doing so, they can achieve remote code execution on both the server and client components of LeRobot.
Potential Consequences
The implications of this vulnerability are far-reaching:
– Unauthenticated Remote Code Execution: Attackers can execute arbitrary commands on affected systems without needing authentication.
– Complete System Compromise: The PolicyServer host can be entirely taken over, granting attackers full control.
– Impact on Connected Robots: Malicious actors can manipulate or disrupt the operations of robots connected to the compromised system.
– Data Theft: Sensitive information, including API keys, SSH credentials, and model files, is at risk of being stolen.
– Lateral Network Movement: Attackers can navigate through the network, potentially compromising additional systems.
– Operational Disruption: Services can be crashed, models corrupted, or operations sabotaged, leading to physical safety hazards.
Discovery and Response
Valentin Lobstein, a security researcher at VulnCheck, discovered and detailed this vulnerability, confirming its presence in LeRobot version 0.4.3. Despite the severity, a patch has not yet been released; a fix is anticipated in version 0.6.0.
Notably, another researcher, known by the alias chenpinji, independently reported the same flaw in December 2025. In response, the LeRobot team acknowledged the security risk and indicated that significant refactoring of the codebase is necessary, as the original implementation was more experimental.
Steven Palma, the project’s technical lead, stated, LeRobot has primarily been a research and prototyping tool, which is why deployment security hasn’t been a strong focus until now. As LeRobot continues to be adopted and deployed in production, we’ll start paying much closer attention to these kinds of issues. Fortunately, being an open-source project, the community can also help by reporting and fixing vulnerabilities.
The Dangers of Using Pickle for Serialization
This incident underscores the risks associated with using the pickle format for serialization. Pickle is known to be unsafe for deserializing untrusted data, as it can execute arbitrary code during the deserialization process. Ironically, Hugging Face developed Safetensors—a serialization format designed to be a safer alternative to pickle for machine learning data. Yet, their own robotics framework utilizes `pickle.loads()` to deserialize network input, highlighting a critical oversight.
Recommendations for Users
Given the current unpatched status of this vulnerability, users of LeRobot should take immediate action to mitigate potential risks:
1. Restrict Network Access: Limit exposure by configuring firewalls and access controls to restrict access to the PolicyServer component.
2. Monitor for Suspicious Activity: Implement monitoring to detect unusual behavior that may indicate exploitation attempts.
3. Prepare for Updates: Stay informed about the release of version 0.6.0 and plan to apply the update promptly once available.
4. Review Serialization Practices: Evaluate the use of serialization methods within your systems and consider adopting safer alternatives to pickle, especially when handling untrusted data.
Conclusion
The discovery of CVE-2026-25874 in Hugging Face’s LeRobot platform serves as a stark reminder of the critical importance of secure coding practices, particularly concerning data serialization. Organizations utilizing LeRobot must remain vigilant, implement recommended mitigations, and prioritize the application of security updates to protect their systems from potential exploitation.
