Hugging Face LeRobot — CVE-2026-25874 Unauthenticated RCE via Pickle Deserialization
AI relevance: LeRobot is Hugging Face's open-source robotics and embodied AI platform (~24K GitHub stars); unauthenticated RCE on policy servers and robot clients creates physical safety risks beyond data compromise.
- CVE-2026-25874 (CVSS 9.3) stems from
pickle.loads()deserializing data received over unauthenticated gRPC channels without TLS in LeRobot's async inference pipeline. - An unauthenticated network-reachable attacker can achieve arbitrary code execution on both the policy server and robot client by sending a crafted pickle payload via
SendPolicyInstructions,SendObservations, orGetActionsgRPC calls. - The flaw lives in the async inference PolicyServer component — no authentication is required, only network reachability to the service port.
- Unlike typical web app vulnerabilities, successful exploitation can lead to physical safety consequences if the compromised robot is executing real-world actions.
- The vulnerability is a textbook example of the dangers of deserializing untrusted data — a class of bug that continues to resurface in ML/AI pipelines where pickle is used for model weight and policy serialization.
- Resecurity and the Hugging Face security team independently confirmed the issue; a GitHub advisory has been published.
Why it matters
Robotics and embodied AI systems are transitioning from research labs to production deployments in warehouses, healthcare, and logistics. An unauthenticated RCE in the inference pipeline means any network-accessible robot can be remotely hijacked — not just for data exfiltration, but for physical actions. The reliance on pickle for ML artifact exchange across the AI ecosystem makes this pattern worth watching broadly.
What to do
- Upgrade LeRobot to the patched release immediately.
- Ensure policy servers and robot clients are not directly exposed to untrusted networks — segment them behind firewalls or in isolated VLANs.
- Enable TLS on all gRPC channels and require mutual authentication between policy servers and robot clients.
- Audit all AI/ML pipelines that use pickle for deserialization; consider migrating to safer serialization formats (e.g., safetensors for model weights, JSON/protobuf for data).
- Monitor gRPC traffic for anomalous payload sizes or unexpected source IPs targeting LeRobot services.