Unpatched pickle bug allows RCE in Hugging Face LeRobot

Hugging Face’s open-source robotics framework LeRobot contains a pickle deserialization flaw in its PolicyServer that allows unauthenticated attackers to execute arbitrary code over the network. The vulnerability is tracked as CVE-2026-25874 and carries a CVSS score of 9.3. Security advisories say the defect affects the async inference pipeline.

The issue arises because the PolicyServer uses Python’s pickle.loads() to deserialize data received over unauthenticated gRPC channels that do not use TLS. An attacker able to reach the PolicyServer network port can send a crafted pickle payload through the SendPolicyInstructions, SendObservations or GetActions gRPC calls and trigger remote code execution on the host running the service, according to the project advisory and researchers who tested the flaw.

VulnCheck researcher Valentin Lobstein validated the flaw against LeRobot version 0.4.3 and published technical details. The defect was independently reported by a researcher using the handle “chenpinji” in December 2025. The LeRobot team acknowledged the vulnerability in early January and said parts of the codebase were experimental and in need of refactoring. A fix is planned for LeRobot version 0.6.0; the vulnerability remained unpatched at the time of reporting.

Security firm Resecurity described the risk as high because inference services often run with elevated privileges to access internal networks, datasets and compute resources. Exploitation could allow unauthenticated remote code execution and full compromise of the host, control or disruption of connected robots, theft of API keys, SSH credentials or model files, lateral movement inside corporate networks, and crashes or model corruption that affect operations.

LeRobot is an open-source robotics toolkit with roughly 24,000 stars on GitHub and is used to build and run robot policies and inference tasks. The combination of network-exposed RPC interfaces, an unsafe serialization format and elevated runtime privileges increases the attack surface for organizations deploying the software in production.

VulnCheck’s Lobstein commented on the choice of pickle in the codebase, writing, “The irony here is hard to overstate.” LeRobot tech lead Steven Palma acknowledged the project’s research and prototyping origins and wrote that deployment security “hasn’t been a strong focus until now,” adding that the team will increase its emphasis on security as production use grows and that the community can help report and fix vulnerabilities.

Until the planned patch is released, operators running LeRobot instances are advised to restrict network access to PolicyServer ports, enable transport security where possible and isolate inference services and credentials. The project advisory notes that pickle can execute arbitrary Python code when loading crafted data and recommends using safer serialization formats and authenticated, encrypted channels for RPC traffic.