Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE

Cybersecurity researchers have disclosed details of a critical security flaw impacting LeRobot, Hugging Face's open-source robotics platform with nearly 24,000 GitHub stars, that could be exploited to achieve remote code execution. The vulnerability in question is CVE-2026-25874 CVSS score: 9.3,...

CVE-2026-25874 LeRobot Unsafe Deserialization Remote Code Execution via gRPC

LeRobot through 0.5.1 contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads is used to deserialize data received over unauthenticated gRPC channels without TLS in the policy server and robot client components. An unauthenticated network-reachable...

lerobot 代码问题漏洞

Lerobot is a robot programming library open source by Hugging Face. Versions of LeRobot prior to 0.5.1 had code vulnerabilities. These vulnerabilities stemmed from unsafe deserialization in the asynchronous inference pipeline. The pickle.loads function was used to deserialize data received throug...

EUVD-2025-30385

Malicious code in bioql PyPI...

CVE-2025-10772

A vulnerability was identified in huggingface LeRobot up to 0.3.3. Affected by this vulnerability is an unknown functionality of the file lerobot/common/robotdevices/robots/lekiwiremote.py of the component ZeroMQ Socket Handler. The manipulation leads to missing authentication. The attack can onl...

CVE-2025-10772

A vulnerability was identified in huggingface LeRobot up to 0.3.3. Affected by this vulnerability is an unknown functionality of the file lerobot/common/robotdevices/robots/lekiwiremote.py of the component ZeroMQ Socket Handler. The manipulation leads to missing authentication. The attack can onl...

lerobot 安全漏洞

lerobot is a robot programming library open-sourced by Hugging Face. A security vulnerability exists in huggingface LeRobot 0.3.3 and earlier versions, which stems from a lack of authentication in the ZeroMQ Socket Handler component and could lead to an attack within the local network...

CVE-2025-10772 huggingface LeRobot ZeroMQ Socket lekiwi_remote.py missing authentication

A vulnerability was identified in huggingface LeRobot up to 0.3.3. Affected by this vulnerability is an unknown functionality of the file lerobot/common/robotdevices/robots/lekiwiremote.py of the component ZeroMQ Socket Handler. The manipulation leads to missing authentication. The attack can onl...

CVE-2025-10772 huggingface LeRobot ZeroMQ Socket lekiwi_remote.py missing authentication

A vulnerability was identified in huggingface LeRobot up to 0.3.3. Affected by this vulnerability is an unknown functionality of the file lerobot/common/robotdevices/robots/lekiwiremote.py of the component ZeroMQ Socket Handler. The manipulation leads to missing authentication. The attack can onl...

CVE-2025-10772

CVE-2025-10772 affects huggingface LeRobot up to 0.3.3. The vulnerability lies in the ZeroMQ Socket Handler’s lekiwi_remote.py, causing missing authentication and enabling local-network access within the affected component. Affected software is LeRobot (up to 0.3.3); the issue is triggered via th...

PT-2025-38670

Name of the Vulnerable Software and Affected Versions huggingface LeRobot versions up to 0.3.3 Description A vulnerability exists in huggingface LeRobot up to version 0.3.3 related to missing authentication within the ZeroMQ Socket Handler functionality of the file lerobot/common/robot...