VMTech
+381 11 4150 20024/7 Discuss a project
← All Instagram insights VMTECH · INSTAGRAM

Critical Vulnerability in LeRobot (Hugging Face): Unauthenticated RCE via pickle

Критическая уязвимость в LeRobot (Hugging Face): неаутентифицированное RCE через pickle

Colleagues, a security alert: a critical vulnerability in LeRobot (Hugging Face) has been disclosed — CVE-2026-25874 (CVSS 9.3).

Key points:
- In async inference (PolicyServer and robot client) unsafe pickle.loads() deserializes data received over unauthenticated gRPC without TLS.
- An attacker can deliver a crafted payload via SendPolicyInstructions / SendObservations / GetActions to achieve RCE.
- Confirmed on LeRobot 0.4.3; fix planned for 0.6.0.

Why this matters: inference services often run with elevated privileges — risks include key exfiltration, host compromise and threats to physical safety.

What immediate steps would you take right now?

#cybersecurity #vulnerabilities #OpenSource #AI

Latest comments

No comments yet.