Cybersecurity experts have revealed a significant security vulnerability within Hugging Face’s open-source robotics platform, LeRobot. This flaw, identified as CVE-2026-25874, holds a critical CVSS rating of 9.3 and opens the door to remote code execution by exploiting untrusted data deserialization.
Understanding the Security Vulnerability
The vulnerability is linked to LeRobot’s async inference pipeline, where the unsafe pickle format is used to deserialize data via unauthenticated gRPC channels. The GitHub advisory highlights that an attacker can send a crafted pickle payload through specific gRPC calls, such as SendPolicyInstructions, leading to arbitrary code execution on the server or client.
Resecurity has pinpointed the issue to the PolicyServer component, noting that an attacker with network access to the PolicyServer port can execute malicious commands on the host machine. The flaw is particularly dangerous as it affects AI inference systems, which often have elevated privileges and access to sensitive internal networks.
Potential Impact and Risks
The exploitation of this flaw could have several severe consequences. Unauthenticated attackers could achieve remote code execution, leading to a full compromise of the PolicyServer host. They could also impact connected robots, steal sensitive data, and perform lateral network movements. Additionally, attackers could disrupt services and corrupt models, posing physical safety risks.
Security researcher Valentin Lobstein, who published further details about the flaw, confirmed its presence in LeRobot version 0.4.3. A fix is expected in version 0.6.0, but it remains unpatched for now. Another researcher, known as “chenpinji,” independently reported the flaw late last year, prompting Hugging Face to acknowledge the need for a significant codebase refactor.
Future Security Measures and Community Involvement
Steven Palma, the tech lead of the LeRobot project, acknowledged the historical focus on research over security. As LeRobot transitions into production use, security is becoming a greater priority. The open-source nature of the project allows the community to actively participate in identifying and rectifying vulnerabilities.
The disclosure underscores the ongoing risks associated with the pickle format, notorious for enabling arbitrary code execution when handling attacker-controlled inputs. Lobstein humorously noted the irony that Hugging Face, which developed Safetensors to avoid such risks, still uses pickle in parts of their robotics framework.
As this vulnerability highlights, open-source projects must remain vigilant about security, especially when leveraging potentially unsafe serialization methods.
