CVE-2026-25874
published 2026-04-23CVE-2026-25874: LeRobot through 0.5.1 contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data…
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
15.55%
96.4th percentile
LeRobot through 0.5.1 contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS in the policy server and robot client components. An unauthenticated network-reachable attacker can achieve arbitrary code execution on the server or client by sending a crafted pickle payload through the SendPolicyInstructions, SendObservations, or GetActions gRPC calls.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hugging_face | lerobot | <= 0.5.1 | — |
| huggingface | lerobot | <= 0.5.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated gRPC connections (no TLS) to the LeRobot PolicyServer port; any inbound gRPC traffic to the PolicyServer from untrusted/external sources should be alerted on. ↗
- →Detect use of pickle.loads() on data received from network sources within the LeRobot async inference pipeline; look for # nosec comments suppressing security tool warnings around pickle.loads() calls in the codebase. ↗
- →Alert on unexpected process spawning or OS command execution originating from the PolicyServer process, which may indicate successful exploitation of the pickle deserialization vulnerability. ↗
- →Audit for exfiltration of API keys, SSH credentials, and model files from hosts running LeRobot PolicyServer, as these are primary post-exploitation targets. ↗
- ·The async inference component was noted by the LeRobot team as experimental and requiring near-complete refactoring; treat any deployment of this component in production as high-risk. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f7vj-73pm-m822: LeRobot contains an unsafe deserialization vulnerability in the async inference pipeline where pickle
ghsa_unreviewed·2026-04-23
CVE-2026-25874 [CRITICAL] CWE-502 GHSA-f7vj-73pm-m822: LeRobot contains an unsafe deserialization vulnerability in the async inference pipeline where pickle
LeRobot contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS in the policy server and robot client components. An unauthenticated network-reachable attacker can achieve arbitrary code execution on the server or client by sending a crafted pickle payload through the SendPolicyInstructions, SendObservations, or GetActions gRPC calls.
VulDB
Hugging Face LeRobot up to 0.5.1 Pickle pickle.loads deserialization (ID 3047)
vuldb·2026-04-23·CVSS 9.3
CVE-2026-25874 [CRITICAL] Hugging Face LeRobot up to 0.5.1 Pickle pickle.loads deserialization (ID 3047)
A vulnerability was found in Hugging Face LeRobot up to 0.5.1. It has been declared as critical. This affects the function pickle.loads of the component Pickle Handler. Executing a manipulation can lead to deserialization.
This vulnerability appears as CVE-2026-25874. The attack may be performed from remote. There is no available exploit.
A patch should be applied to remediate this issue.
No detection rules found.
No public exploits indexed.
2026-04-23
Published