Home

Description

LeRobot through 0.5.1 contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS in the policy server and robot client components. An unauthenticated network-reachable attacker can achieve arbitrary code execution on the server or client by sending a crafted pickle payload through the SendPolicyInstructions, SendObservations, or GetActions gRPC calls.

PUBLISHED Reserved 2026-02-06 | Published 2026-04-23 | Updated 2026-04-24 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Default status
unknown

Any version
affected

Credits

Valentin Lobstein (Chocapikk) finder

References

chocapikk.com/posts/2026/lerobot-pickle-rce/ technical-description exploit

github.com/huggingface/lerobot/issues/3047 issue-tracking

github.com/huggingface/lerobot/pull/3048 mitigation

github.com/huggingface/lerobot/issues/3134 vendor-advisory

www.vulncheck.com/...lization-remote-code-execution-via-grpc third-party-advisory

cve.org (CVE-2026-25874)

nvd.nist.gov (CVE-2026-25874)

Download JSON