Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/CyberSecurity News/Hugging Face LeRobot Critical RCE Vulnerability Patched
CyberSecurity News

Hugging Face LeRobot Critical RCE Vulnerability Patched

Key Takeaways A critical remote code execution (RCE) vulnerability, CVE-2026-25874, has been identified in Hugging Face’s LeRobot framework. The flaw, rated 9.3 CVSS, allows unauthenticated...

David kimber
David kimber
April 29, 2026 3 Min Read
37 0

Key Takeaways

  • A critical remote code execution (RCE) vulnerability, CVE-2026-25874, has been identified in Hugging Face’s LeRobot framework.
  • The flaw, rated 9.3 CVSS, allows unauthenticated attackers to execute arbitrary commands on systems running LeRobot versions up to 0.5.1.
  • The vulnerability stems from insecure deserialization using Python’s pickle module over unauthenticated gRPC channels.
  • A patch is anticipated in LeRobot version 0.6.0, but immediate network restrictions are advised.

Hugging Face’s LeRobot, an open-source machine learning framework widely adopted for real-world robotics applications, is currently grappling with a severe, unpatched remote code execution (RCE) vulnerability. This critical flaw, identified as CVE-2026-25874 and boasting a CVSS score of 9.3, enables attackers to execute arbitrary system commands on affected host machines without requiring authentication.

Table Of Content

  • Key Takeaways
  • Insecure Pickle Deserialization at Core of Flaw
  • What You Should Do

Given LeRobot’s extensive use, evidenced by nearly 24,000 stars on GitHub, this vulnerability poses a significant threat to AI infrastructure, networked robotic systems, and sensitive proprietary data. A successful exploit could lead to complete system compromise, data exfiltration, and even the physical sabotage of connected robots.

Insecure Pickle Deserialization at Core of Flaw

Security researcher Chocapikk published a detailed proof-of-concept, highlighting the vulnerability within LeRobot’s async inference module. This module is designed to offload intensive computations to GPU servers, a common practice in modern AI systems.

The issue arises from the interaction between the PolicyServer and RobotClient components, which rely on Python’s native pickle module for deserializing data transmitted across unauthenticated gRPC channels. Critically, the gRPC server utilizes add_insecure_port(), negating the use of Transport Layer Security (TLS) or any form of authentication. This configuration means that any party with network access can directly connect to the service.

Attackers can exploit this by sending a specially crafted serialized payload via RPC handlers, such as SendPolicyInstructions or SendObservations. This malicious payload executes immediately during the pickle.loads() process, bypassing any subsequent data type validation. The lack of credential requirements and complex attack chains makes this vulnerability particularly potent.

The implications of such an exploit are severe. AI inference servers typically operate with elevated system privileges to manage high-cost GPU resources and vast datasets. A breach could grant attackers full administrative control over the host machine, enabling lateral movement within internal networks, corruption of machine learning models, exfiltration of Hugging Face API keys, and potential disruption of physical robot operations.

This vulnerability actively affects all LeRobot versions up to 0.5.1.

Chocapikk’s researchers also pointed out a significant irony: Hugging Face itself developed the safetensors format specifically to mitigate the inherent security risks associated with pickle serialization. Despite this, LeRobot developers opted for the less secure pickle format, presumably for convenience. Furthermore, as Chocapikk discovered, the source code contained # nosec tags directly adjacent to the pickle.loads() calls. These comments were intentionally placed to suppress warnings from automated security linters that accurately flagged the vulnerability during development.

What You Should Do

A permanent resolution, involving the replacement of pickle with safetensors and JSON, is slated for LeRobot version 0.6.0. Until this official patch becomes available, organizations must implement immediate defensive measures to protect their systems:

  • Strictly limit network access, ensuring that the LeRobot async inference server is never exposed to untrusted networks or the public internet.
  • Configure the server to bind exclusively to localhost (127.0.0.1) instead of 0.0.0.0 to prevent all external connection attempts.
  • Deploy robust API gateways, VPNs, and network-level firewalls to enforce stringent authentication protocols before any traffic can reach the gRPC port.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCVEExploitPatchSecurityVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

CISA Warns of Critical Microsoft Windows Shell Exploit CVE-2022-XXXX

Next Post

SLOTAGENT Malware Evades Detection With API Hashing and Encrypted Strings

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us