Key Findings

• CVE-2026-25874 (CVSS 9.3) in Hugging Face LeRobot allows unauthenticated remote code execution via unsafe pickle deserialization

• Vulnerability exists in PolicyServer and robot client components using unencrypted gRPC channels without TLS

• Flaw remains unpatched as of now, with fix planned for version 0.6.0

• Nearly 24,000 GitHub stars indicate significant adoption despite the critical security issue

• Attackers can steal credentials, compromise connected robots, and move laterally across networks

Background

LeRobot is Hugging Face's open-source robotics platform designed for AI inference systems in robot control. The project has gained considerable traction in the research and prototyping community, though the developers acknowledge deployment security hasn't been a primary focus until now. The vulnerability was independently discovered by two researchers, with VulnCheck's Valentin Lobstein publishing detailed analysis and another researcher known as "chenpinji" reporting it in December 2025.

Technical Vulnerability Details

The flaw stems from the async inference PolicyServer component using pickle.loads() to deserialize data received over unauthenticated gRPC channels without TLS encryption. An attacker positioned on the network can reach the PolicyServer port and send a malicious serialized payload through SendPolicyInstructions, SendObservations, or GetActions gRPC calls to achieve arbitrary code execution. The issue was validated against LeRobot version 0.4.3 and continues to affect current releases.

Potential Attack Impact

Successful exploitation could enable complete compromise of the PolicyServer host machine. Beyond that, attackers could steal sensitive data like API keys, SSH credentials, and model files. They could impact connected robots, crash services, corrupt models, and create physical safety risks. The threat is especially serious because these systems typically run with elevated privileges and access to internal networks, datasets, and expensive compute resources.

Developer Response and Timeline

Steven Palma, tech lead for LeRobot, acknowledged the security risk in January after the vulnerability disclosure. The team noted that the affected codebase was experimental and requires substantial refactoring. They recognized the gap between LeRobot's original research focus and its increasing production deployment. While a fix is planned for version 0.6.0, no timeline has been specified for release, leaving users currently vulnerable.

The Pickle Irony

The situation highlights a notable contradiction in Hugging Face's approach to security. The company previously created Safetensors, a serialization format specifically designed to replace pickle because of its known dangers for machine learning data. Yet LeRobot directly contradicts this philosophy by deserializing attacker-controlled network input with pickle.loads(), even including code comments to suppress security warnings from analysis tools.

Sources

• https://thehackernews.com/2026/04/critical-cve-2026-25874-leaves-hugging.html

• https://www.youtube.com/shorts/kkzXr2tnEYI

• https://x.com/TheHackersNews/status/2049087528117190757

• https://www.cypro.se/2026/04/28/critical-unpatched-flaw-leaves-hugging-face-lerobot-open-to-unauthenticated-rce/

• https://x.com/TheCyberSecHub/status/2049099143810081158