A significant remote code execution (RCE) vulnerability has been identified in Hugging Face’s widely used open-source machine learning framework, LeRobot. This flaw, which is yet to be patched, poses a serious threat to AI infrastructure and connected robotic systems.
Overview of the Vulnerability
Designated as CVE-2026-25874 and carrying a critical CVSS score of 9.3, this vulnerability permits attackers without authentication to execute arbitrary commands on compromised systems. LeRobot, which boasts close to 24,000 stars on GitHub, is now under scrutiny due to potential risks to sensitive data and the operational integrity of AI systems.
Technical Details: Insecure Pickle Deserialization
The vulnerability is rooted in the async inference module, according to a proof-of-concept by Chocapikk. This module uses Python’s pickle module for data deserialization over unauthenticated gRPC channels. The use of add_insecure_port() without TLS or authentication facilitates unauthorized connections.
Attackers can exploit this by sending crafted serialized payloads through functions like SendPolicyInstructions or SendObservations, leading to arbitrary code execution during the pickle.loads() process. This vulnerability is highly concerning due to the elevated privileges under which AI inference servers operate.
Implications and Mitigation Strategies
Successful exploitation can grant attackers full administrative control, enabling lateral network movements, data corruption, and potential operational sabotage of robotic systems. The vulnerability affects LeRobot versions up to 0.5.1.
Developers are planning a switch to safetensors and JSON formats in version 0.6.0 to mitigate risks. In the interim, organizations are advised to restrict network access to the inference server, bind it to localhost, and utilize robust API gateways and firewalls.
Security researchers from Chocapikk highlighted the irony of this issue, as the safetensors format was explicitly created to avoid the security pitfalls of pickle serialization. However, the convenience of the pickle format led to its continued use, compounded by deliberate suppression of security warnings in the code.
For continuous updates on cybersecurity threats and strategies, follow us on Google News, LinkedIn, and X. Contact us to feature your cybersecurity stories.
