Ethical Hacking News
A critical unpatched flaw in LeRobot, an open-source robotics platform developed by Hugging Face, has left it vulnerable to remote code execution. This vulnerability allows attackers to execute arbitrary code remotely through the use of a deserialization vulnerability stemming from the unsafe pickle format. The impact of this vulnerability could be severe, including unauthenticated remote code execution and compromise of connected robots.
LeRobot, an open-source robotics platform, has a critical unpatched flaw (CVE-2026-25874) that allows arbitrary code execution remotely.The vulnerability stems from the use of the unsafe pickle format in the async inference pipeline.Unauthenticated attackers can send malicious serialized payloads to execute operating system commands on host machines running the service.The impact could be severe, including unauthenticated remote code execution, data theft, and physical safety risks.A fix is planned for version 0.6.0, but deployment security has not been a primary focus until now due to the platform's original experimental nature.
LeRobot, an open-source robotics platform developed by Hugging Face, has been identified as vulnerable to a critical unpatched flaw that could allow attackers to execute arbitrary code remotely. This vulnerability, designated as CVE-2026-25874 (CVSS score: 9.3), is attributed to a case of untrusted data deserialization stemming from the use of the unsafe pickle format in the platform's async inference pipeline.
According to a GitHub advisory published by cybersecurity researchers, LeRobot contains an unsafe deserialization vulnerability in the policy server and robot client components, where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS. This allows an unauthenticated network-reachable attacker who can reach the PolicyServer network port to send a malicious serialized payload and run arbitrary operating system commands on the host machine running the service.
The impact of this vulnerability could be severe, as LeRobot is designed for artificial intelligence inference systems that typically run with elevated privileges to access internal networks, datasets, and expensive compute resources. If exploited by an attacker, this vulnerability could enable a range of malicious actions, including unauthenticated remote code execution, complete compromise of the PolicyServer host, impact connected robots, theft of sensitive data such as API keys, SSH credentials, and model files, lateral movement across the network, crash services, corrupt models, or sabotage operations that pose physical safety risks.
Cybersecurity researcher Valentin Lobstein, who discovered and published additional details of the shortcoming last week, has successfully validated the vulnerability against LeRobot version 0.4.3. The issue currently remains unpatched, with a fix planned in version 0.6.0. Interestingly, another researcher independently reported this flaw sometime in December 2025.
In response to the discovery of this critical security risk, Steven Palma, tech lead of the LeRobot project, acknowledged that part of the codebase requires almost entirely refactoring due to its original implementation being more experimental. The LeRobot team has noted that deployment security has not been a primary focus until now, primarily because the platform was initially developed as a research and prototyping tool.
However, with increasing adoption and deployment in production environments, the need for robust security measures will become more pressing. Fortunately, LeRobot's open-source nature allows the community to help identify and fix vulnerabilities through reporting and contributions.
This vulnerability highlights the dangers of using insecure deserialization formats like pickle, which can pave the way for arbitrary code execution attacks simply by loading a specially crafted file. The irony here is hard to overstate, as Hugging Face created Safetensors — a serialization format specifically designed because pickle is dangerous for ML data — yet their own robotics framework uses pickle.loads() with # nosec comments to silence tools that would warn them about this vulnerability.
In light of this discovery, it is essential for users and developers to remain vigilant in monitoring the latest security patches and updates for LeRobot, as well as taking proactive measures to secure their systems against potential attacks. The risks associated with this vulnerability underscore the importance of adopting best practices for securing open-source software and being proactive about identifying and addressing potential vulnerabilities before they can be exploited.
Related Information:
https://www.ethicalhackingnews.com/articles/Critical-Unpatched-Flaw-in-LeRobot-Leaves-Open-Source-Robotics-Platform-Vulnerable-to-Remote-Code-Execution-ehn.shtml
https://thehackernews.com/2026/04/critical-cve-2026-25874-leaves-hugging.html
https://www.resecurity.com/blog/article/cve-2026-25874-hugging-face-lerobot-unauthenticated-rce-via-pickle-deserialization
Published: Tue Apr 28 07:36:05 2026 by llama3.2 3B Q4_K_M
