Critical Deserialization Flaw in Hugging Face LeRobot: CVE-2026-25874
In the rapidly evolving landscape of robotics and machine learning, a significant security oversight has surfaced within the LeRobot framework. Developed by Hugging Face, LeRobot has become a cornerstone for open-source robotics research, boasting over 21,500 GitHub stars. However, a newly disclosed Remote Code Execution (RCE) vulnerability, tracked as CVE-2026-25874, has cast a shadow over its widespread adoption.
With a critical CVSS severity score of 9.8, this flaw represents a “worst-case scenario” for operators: an unauthenticated attacker can achieve full system compromise by executing arbitrary commands on the host server.
The Architectural Root Cause: Insecure Deserialization
To understand how this vulnerability manifests, one must look at LeRobot’s distributed architecture. To handle the heavy lifting of machine learning, the framework utilizes an asynchronous inference module. This setup offloads policy computation from the robot client to a dedicated, high-performance GPU server via a gRPC-based PolicyServer.
The vulnerability lies in how this server handles incoming data. The framework employs Python’s pickle module to deserialize data received across various Remote Procedure Call (RPC) handlers. While pickle is convenient for recreating complex Python objects, it is inherently unsafe because it can be manipulated to execute arbitrary code during the reconstruction process.
Making matters worse, the gRPC channel is initialized using add_insecure_port(). This means the communication channel lacks Transport Layer Security (TLS) and, crucially, lacks any form of authentication. In its current state, the server is essentially “listening” to anyone on the network, trusting that any incoming byte stream is legitimate.
Technical Breakdown and Exploitation Mechanics
As detailed by security researcher chocapikk, the attack surface is concentrated within specific RPC endpoints, primarily SendPolicyInstructions and SendObservations.
These handlers receive protobuf messages containing raw byte fields. The logic flow follows a dangerous pattern: the server receives the bytes, passes them directly into pickle.loads(), and only after the object has been reconstructed does it perform type validation (e.g., using isinstance()). This creates a race condition of logic where the malicious payload executes during the deserialization phase—long before the server has a chance to realize the data structure is anomalous and reject it.
Perhaps most concerning from a development standpoint is the presence of #nosec comments within the codebase. These comments are used to instruct security linters (like Bandit) to ignore specific lines of code that are known to be high-risk. This suggests that the risk of using pickle was identified during development but was manually bypassed to maintain functionality.
The irony here is profound: the data being transmitted—primarily strings, integers, dictionaries, and tensors—does not actually require the complexity of pickle. These structures could be safely handled using JSON, standard protobuf serialization, or Hugging Face’s own safetensors format, which was specifically designed to provide a secure alternative to pickle.
Exposure Scenarios: Localhost vs. Production
By default, the PolicyServer binds to localhost, which provides a layer of “security by obscurity” for users running everything on a single machine. However, the primary use case for this framework involves offloading computation to remote GPU clusters. In these production environments, administrators must bind the service to 0.0.0.0 to allow network access.
Once bound to a network interface, the server becomes a visible target. An attacker on the same network can broadcast malicious serialized payloads to the open port, leading to automated, widespread exploitation without the need for complex system fingerprinting.
Remediation and Best Practices
For organizations and researchers currently deploying LeRobot, immediate action is required to harden the environment. We recommend the following architectural shifts:
- Deprecate Pickle: Transition all network-facing data serialization to secure formats. Use
JSONfor simple data orsafetensorsfor tensor-heavy workloads. - Enable Transport Security: Replace
add_insecure_port()withadd_secure_port(). Implementing TLS is non-negotiable for any service exposed to a network. - Mandate Authentication: Utilize gRPC interceptors to implement robust, token-based authentication. No request should be processed without a verified identity.
This incident serves as a sobering reminder of a systemic trend in the AI/ML ecosystem: the tendency to prioritize rapid prototyping and developer convenience over foundational security principles. When a framework built by a leader in the field—one that actively promotes safer formats like safetensors—succumbs to a classic deserialization error, it underscores the need for rigorous security audits in the robotics software supply chain.