CybersecurityVulnerability Management

Unpatched Flaw Exposes Hugging Face LeRobot to Remote Code Execution

Analyst 207||Source: TheHackerNews
Industrial robot on a factory floor with blurred control panel and company logo nearby.

CVE-2026-25874, rated CVSS 9.3, is an unpatched, critical vulnerability in LeRobot — Hugging Face’s open-source robotics platform — that allows unauthenticated remote code execution by deserializing attacker-controlled data with Python’s unsafe pickle format.

How the flaw works: unsafe pickle on unauthenticated gRPC channels

A GitHub advisory describes the defect as "an unsafe deserialization vulnerability in the async inference pipeline, where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS in the policy server and robot client components." The advisory names three gRPC entry points an attacker can call: SendPolicyInstructions, SendObservations, and GetActions.

Resecurity, the cybersecurity company that analyzed the issue, said the problem is rooted in the async inference PolicyServer component. An unauthenticated attacker who can reach the PolicyServer network port can send a crafted pickle payload and execute arbitrary operating system commands on the host running the service.

Scope and technical consequences described by researchers

Researchers and security firms enumerated a broad set of consequences should the flaw be exploited. Resecurity listed potential effects including unauthenticated remote code execution, complete compromise of the PolicyServer host, impact to connected robots, theft of sensitive data such as API keys, SSH credentials, and model files, lateral movement across networks, and sabotage that could crash services, corrupt models, or create physical safety risks.

VulnCheck researcher Valentin Lobstein validated the exploit against LeRobot version 0.4.3 and published additional technical details. The issue remains unpatched at the time of reporting; a fix is planned for version 0.6.0.

Timeline, duplicate reports, and maintainer response

The vulnerability was independently reported by a researcher using the alias "chenpinji" in December 2025. The LeRobot team acknowledged the security risk earlier in January, saying "that part of the codebase needs to be almost entirely refactored as its original implementation was more experimental." Steven Palma, tech lead of the project, characterized LeRobot as "primarily a research and prototyping tool" and said deployment security "hasn't been a strong focus until now." Palma added that as LeRobot is adopted in production the team will "start paying much closer attention to these kinds of issues," and noted that "being an open-source project, the community can also help by reporting and fixing vulnerabilities."

Why the pickle format matters here

Lobstein highlighted the broader irony at play: "Hugging Face created Safetensors -- a serialization format designed specifically because pickle is dangerous for ML data. And yet their own robotics framework deserializes attacker-controlled network input with pickle.loads(), with # nosec comments to silence the tool that was trying to warn them."

The use of pickle for deserializing network input is the direct cause of the remote code execution risk, because the format permits executing arbitrary code during deserialization when a specially crafted payload is loaded.

What this means for security teams, open-source maintainers, and robotics operators

  • Security teams assessing robotic deployments: teams operating or evaluating LeRobot should note the published validation against version 0.4.3 and that a fix is scheduled for 0.6.0; they will watch for an official patched release and for signs of network-exposed PolicyServer ports accepting unauthenticated gRPC calls.
  • Open-source maintainers and contributors: the LeRobot tech lead framed the code area as "experimental" and in need of refactoring; maintainers and contributors can expect to be asked to help audit and harden the async inference pipeline and to remediate unsafe deserialization use.
  • Robotics operators and deployers: because Resecurity flagged the service as commonly running with elevated privileges to access internal networks, data and compute, operators will be concerned about the potential for host compromise, theft of keys and models, lateral movement, and the possibility of physical safety impacts if connected robots are affected.

The record in the advisory and researcher write-ups is stark: a widely starred open-source robotics framework (nearly 24,000 GitHub stars) contains an unpatched, high-severity deserialization bug in a network-facing component. The LeRobot team has acknowledged the issue and planned a fix, but until version 0.6.0 is released the vulnerability — CVE-2026-25874 — remains a present risk to any deployment that exposes the PolicyServer to untrusted networks.

Source: thehackernews.com — Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE

Emerging ThreatsPythonRemote Code ExecutionRoboticsZero-DaySupply Chain VulnerabilityCVE-2026-25874Unauthenticated VulnerabilityOpen-Source PlatformGrpc
Related Intelligence

Continue Reading

Rows of network equipment and cables in a well-lit server room with a central server or hardware appliance.

F5 Fixes Flaws in NGINX Open Source Enabling Remote Code Execution

F5 has issued urgent security updates for NGINX products after discovering two critical flaws, CVE-2026-42530 and CVE-2026-42055, that could allow remote code execution. These vulnerabilities, rated 9.2 on the CVSS v4 scale, pose a significant threat and require immediate attention to prevent exploitation.

Analyst 207
Control room operators monitor industrial systems amidst rows of screens and control panels.

Accenture Bolsters Industrial Cybersecurity with $4.18B Acquisition Spree

As Robert M. Lee aptly puts it, our critical infrastructure, from energy and water systems to manufacturing plants, is crying out for robust cybersecurity that can stay one step ahead of evolving threats - and failing to deliver it could have disastrous societal consequences. Accenture is answering the call with a whopping $4.18 billion investment to bolster industrial cybersecurity.

Analyst 207
Kubernetes management interface on a laptop screen in a data center background.

Google Exposes Flaw in Kubernetes Operator, Denies Bug Bounty

Google's security team initially praised researcher Justin O'Leary for uncovering a high-severity flaw, dubbed ConfigConfusion, in the Config Connector add-on for Kubernetes - only to later claim it wasn't a vulnerability at all and deny a bug bounty. The issue still lingers, leaving users of the open-source tool potentially exposed.

Analyst 207
Business professional looks concerned while holding laptop amidst scattered papers and office supplies.

Microsoft 365 Exposes Data Protection Gaps for Businesses

Microsoft 365 is a powerhouse for productivity, but it leaves data protection gaps that put businesses at risk. The harsh reality is that while Microsoft safeguards its infrastructure, the responsibility of protecting your business data - including backups and recovery - falls squarely on your shoulders.

Analyst 207