A critical, currently unpatched remote code execution (RCE) vulnerability has been disclosed in LeRobot, Hugging Face’s popular open-source machine learning framework for real-world robotics.

Tracked as CVE-2026-25874 with a critical CVSS score of 9.3, the flaw allows unauthenticated attackers to execute arbitrary system commands on vulnerable host machines.

With nearly 24,000 stars on GitHub, this vulnerability poses a severe risk to AI infrastructure, connected robots, and sensitive proprietary data.

Insecure Pickle Deserialization

According to the detailed proof-of-concept published by Chocapikk, shows the flaw in the async inference module, which offloads heavy computations to a GPU server.

The PolicyServer and RobotClient components use Python’s native pickle module to deserialize data transmitted over unauthenticated gRPC channels.

Because the gRPC server uses add_insecure_port() without Transport Layer Security (TLS) or authentication, anyone with network access can connect directly to the service.

By sending a maliciously crafted serialized payload via RPC handlers such as SendPolicyInstructions or SendObservations, attackers can trigger automatic arbitrary code execution.

The malicious payload executes immediately during the pickle.loads() process, long before the system performs any data type validation.

Exploiting this vulnerability requires no credentials and no complex attack chains.

Because AI inference servers typically run with elevated system privileges to manage expensive GPU resources and massive datasets, a successful breach is devastating.

Attackers could gain complete administrative control over the host machine.

They can move laterally across the internal network, corrupt machine learning models, exfiltrate Hugging Face API keys, and potentially sabotage the physical operations of connected robots.

The vulnerability actively affects LeRobot versions up to 0.5.1..

Chocapikk security researchers emphasized a glaring irony in this codebase: Hugging Face originally developed the safetensors format specifically to eliminate the severe security risks associated with pickle serialization.

Despite creating the safe alternative, LeRobot developers used the unsafe pickle format for convenience.

Furthermore, Chocapikk discovered the source code contained # nosec tags directly next to the pickle.loads() calls.

These comments were deliberately placed to suppress automated security linter warnings that accurately flagged the vulnerability during development.

Mitigation Strategies

A permanent patch replacing pickle with safetensors and JSON is planned for LeRobot version 0.6.0

Until this official fix is deployed, organizations must implement immediate defensive measures:

• Restrict network access to ensure the LeRobot async inference server is never exposed to untrusted networks or the public internet.
  
• Bind the server strictly to localhost rather than 0.0.0.0 to block all external connection attempts.
  
• Implement strong API gateways, VPNs, and network-level firewalls to enforce strict authentication before traffic reaches the gRPC port.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.