Cybersecurity researchers have disclosed particulars of a important security flaw impacting LeRobot, Hugging Face’s open-source robotics platform with almost 24,000 GitHub stars, that might be exploited to attain distant code execution.
The vulnerability in query is CVE-2026-25874 (CVSS rating: 9.3), which has been described as a case of untrusted information deserialization stemming from the usage of the unsafe pickle format.
“LeRobot accommodates an unsafe deserialization vulnerability within the async inference pipeline, the place pickle.hundreds() is used to deserialize information acquired over unauthenticated gRPC channels with out TLS within the coverage server and robotic shopper parts,” based on a GitHub advisory for the flaw.
“An unauthenticated network-reachable attacker can obtain arbitrary code execution on the server or shopper by sending a crafted pickle payload by way of the SendPolicyInstructions, SendObservations, or GetActions gRPC calls.”
In response to Resecurity, the issue is rooted within the async inference PolicyServer element, permitting an unauthenticated attacker who can attain the PolicyServer community port to ship a malicious serialized payload and run arbitrary working system instructions on the host machine working the service.
The cybersecurity firm mentioned the vulnerability is “harmful” because the service is designed for synthetic intelligence inference techniques, which are likely to run with elevated privileges to entry inside networks, datasets, and costly compute sources. Ought to the flaw be exploited by an attacker, it might allow a variety of actions, together with –
- Unauthenticated distant code execution
- Full compromise of the PolicyServer host
- Influence linked robots
- Theft of delicate information, resembling API keys, SSH credentials, and mannequin recordsdata
- Transfer laterally throughout the community
- Crash companies, corrupt fashions, or sabotage operations, resulting in bodily security dangers
VulnCheck security researcher Valentin Lobstein, who found and revealed further particulars of the shortcoming final week, mentioned it has been efficiently validated in opposition to LeRobot model 0.4.3. The difficulty at present stays unpatched, with a repair deliberate in model 0.6.0.
Curiously, the identical flaw was independently reported by one other researcher who goes by the web alias “chenpinji” someday in December 2025. The LeRobot group responded earlier this January, acknowledging the security threat and noting “that a part of the codebase must be nearly fully refactored as its authentic implementation was extra experimental.”
“That mentioned, LeRobot has up to now been primarily a analysis and prototyping instrument, which is why deployment security hasn’t been a robust focus till now,” Steven Palma, tech lead of the undertaking, mentioned. “As LeRobot continues to be adopted and deployed in manufacturing, we’ll begin paying a lot nearer consideration to those sorts of points. Fortuitously, being an open-source undertaking, the group may assist by reporting and fixing vulnerabilities.”
The findings as soon as once more expose the risks of utilizing the pickle format, because it paves the way in which for arbitrary code execution assaults just by loading a specifically crafted file.
“The irony right here is tough to overstate,” Lobstein famous. “Hugging Face created Safetensors — a serialization format designed particularly as a result of pickle is harmful for ML information. And but their very own robotics framework deserializes attacker-controlled community enter with pickle.hundreds(), with # nosec feedback to silence the instrument that was making an attempt to warn them.”
