A critical remote code execution (RCE) vulnerability has been uncovered in Hugging Face’s LeRobot, a popular open-source robotics machine learning framework.
Tracked as CVE-2026-25874, the flaw carries a maximum CVSS severity score of 9.8 and allows unauthenticated attackers to execute arbitrary system commands on affected servers.
With over 21,500 stars on GitHub, LeRobot’s widespread adoption in the ML community makes this a significant security concern.
The vulnerability is rooted in the framework’s asynchronous inference module, which offloads policy computation to a separate GPU server.
This architecture utilizes a gRPC PolicyServer to manage communication between the robot client and the server.
However, the server employs Python’s inherently unsafe pickle.loads() function to deserialize data received from the network across multiple remote procedure call (RPC) handlers.
Compounding the architectural flaw, the gRPC channel is initialized with add_insecure_port(), meaning it lacks Transport Layer Security (TLS) and authentication.
As a result, any malicious actor with network access to the port can send a crafted serialized payload and achieve full system compromise.
Technical Breakdown and Exploitation
According to chocapikk, the security weakness exists within specific RPC endpoints, notably SendPolicyInstructions and SendObservations.
Both handlers process incoming protobuf messages containing raw byte fields and deserialize them using pickle before performing any strict type validation.
An attacker can exploit this by crafting a malicious Python object that executes system commands upon deserialization.
Because type validation checks, such as isinstance(), occur only after the object has been deserialized, the malicious RCE payload executes before the server can reject the anomalous data structure.
Notably, the codebase contained #nosec comments suppressing security linter warnings for these exact lines, indicating that developers were warned of the risk but chose to bypass it.
Ironically, neither endpoint requires pickle serialization. The data structures they process consist primarily of strings, integers, dictionaries, and tensors. These could be safely transmitted using JSON, standard protobuf fields, or Hugging Face’s safe formats.
By default, the server binds to localhost, which limits exposure for casual, isolated deployments.
However, in production environments where computation must be offloaded to a dedicated GPU server, administrators typically bind the service to 0.0.0.0 to permit external network access.
In these configurations, the server becomes highly vulnerable to network-wide automated exploitation, as attackers can easily spray malicious payloads without needing advanced fingerprinting.
To remediate CVE-2026-25874, organizations deploying LeRobot are strongly advised to implement the following architectural changes:
- Remove Pickle Serialization: Transition from pickle to safer serialization formats like JSON, native protobuf fields, or safetensors for handling network data.
- Implement TLS Encryption: Replace add_insecure_port() with add_secure_port() to encrypt network traffic and protect data integrity.
- Enforce Authentication: Introduce gRPC interceptors to enforce robust token-based authentication for all incoming remote requests.
This vulnerability highlights a recurring systemic pattern in the machine learning ecosystem: prioritizing prototyping convenience over foundational security.
Given that Hugging Face developed safetensors specifically to combat the exact dangers of pickle in ML data, the presence of this deserialization flaw in their own robotics framework serves as a stark reminder of the importance of secure coding practices.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
