CVE-2026-25874: Hugging Face LeRobot Unauthenticated Remote Code Execution via Pickle Deserialization
Date: 2026-04-30
Tags: malicious-tool, supply-chain
Executive Summary
CVE-2026-25874 (CVSS 9.3) enables unauthenticated attackers to execute arbitrary system commands on vulnerable Hugging Face LeRobot hosts. With nearly 24,000 GitHub stars, the vulnerability poses severe risk to AI infrastructure, connected robots, and sensitive proprietary data. The PolicyServer and RobotClient components use Python's pickle module to deserialize data over unauthenticated gRPC channels without TLS or authentication. By sending maliciously-crafted serialized payloads, attackers trigger automatic arbitrary code execution.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | LeRobot Pickle Deserialization Supply Chain Exploitation |
| Attribution | Unknown (confidence: none) |
| Target | Organizations deploying Hugging Face LeRobot for robotics and AI inference; AI development teams; enterprises relying on roboticist tooling |
| Vector | Unauthenticated gRPC API accepting malicious pickle payloads via network-accessible deployment |
| Status | active |
| First Observed | 2026-04-29 |
Detailed Findings
The flaw exists in the async inference module; PolicyServer and RobotClient deserialize untrusted data over gRPC without Transport Layer Security or authentication. The gRPC server uses add_insecure_port() without TLS. Malicious payloads execute during pickle.loads() before any type validation; the vulnerability requires no credentials and no attack chains. AI inference servers typically run with elevated privileges, making successful breaches devastating—attackers gain complete administrative control, lateral network movement, ML model corruption, Hugging Face API key exfiltration, and potential sabotage of connected physical robots. Hugging Face originally developed the safetensors format specifically to eliminate pickle-related security risks, yet LeRobot continues to use pickle deserialization.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Exploit Public-Facing Application | T1190 | Unauthenticated gRPC endpoint exposed to network accepts malicious payload |
| Deserialization of Untrusted Data | T1042 | Python pickle module executes arbitrary code during deserialization without validation |
| Lateral Tool Transfer | T1570 | Compromised AI server enables access to internal networks and connected robotic systems |
IOCs
Domains
_Affected package: lerobot published on Hugging Face. No public IOCs or exploit samples disclosed at publication._
Full URL Paths
_Affected package: lerobot published on Hugging Face. No public IOCs or exploit samples disclosed at publication._
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
lerobot (all versions up to 0.5.1)Detection Recommendations
Monitor gRPC traffic to LeRobot instances for unusual serialized payloads or error responses indicating deserialization failures. Implement strict network segmentation and disable gRPC insecure_port() on all production inference servers. Audit logs for RPC handler invocations (SendPolicyInstructions, SendObservations) from unexpected sources. Enforce TLS mutual authentication on all gRPC channels. Regularly scan for exposed LeRobot deployments using port scanning or service enumeration. Test local segmentation to confirm that compromised LeRobot instances cannot pivot to Hugging Face credential stores or downstream AI systems.
References
- [Cybersecurity News] Hugging Face LeRobot Vulnerability Enables Unauthenticated RCE Attacks (2026-04-29) — https://cybersecuritynews.com/hugging-face-lerobot-vulnerability/