CVE-2026-25874 Overview
CVE-2026-25874 is a critical insecure deserialization vulnerability affecting LeRobot through version 0.5.1. The vulnerability exists in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS encryption in both the policy server and robot client components. An unauthenticated network-reachable attacker can achieve arbitrary code execution on the server or client by sending a crafted pickle payload through the SendPolicyInstructions, SendObservations, or GetActions gRPC calls.
Critical Impact
Remote code execution is achievable by unauthenticated attackers with network access to the gRPC endpoint, potentially compromising both policy servers and robot client systems without any user interaction.
Affected Products
- LeRobot versions through 0.5.1
- LeRobot policy server component
- LeRobot robot client component
Discovery Timeline
- 2026-04-23 - CVE-2026-25874 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-25874
Vulnerability Analysis
This vulnerability stems from the use of Python's native pickle serialization module for handling untrusted data over network channels. The LeRobot async inference pipeline accepts serialized objects through gRPC endpoints without implementing authentication, encryption, or input validation. Python's pickle module is inherently unsafe for deserializing untrusted data because it can execute arbitrary code during the deserialization process.
The affected gRPC methods—SendPolicyInstructions, SendObservations, and GetActions—all process incoming pickle-serialized data using pickle.loads(). Since these channels lack TLS encryption and authentication mechanisms, any network-adjacent attacker can inject malicious pickle payloads that execute arbitrary code when deserialized.
Root Cause
The root cause is the use of pickle.loads() on untrusted network input without proper security controls. This represents CWE-502: Deserialization of Untrusted Data. The combination of unauthenticated gRPC endpoints and the inherently dangerous pickle deserialization creates a direct path to remote code execution. The lack of TLS further exacerbates the risk by exposing the communication channel to network interception and injection attacks.
Attack Vector
The attack requires network reachability to the vulnerable gRPC endpoints. An attacker crafts a malicious pickle payload containing code execution primitives (such as __reduce__ methods that invoke system commands) and sends it to one of the vulnerable gRPC methods. When the LeRobot server or client processes this request, pickle.loads() deserializes the payload, triggering arbitrary code execution in the context of the LeRobot process.
The vulnerability is particularly dangerous because:
- No authentication is required to access the gRPC endpoints
- Both server and client components are vulnerable
- The attack requires no user interaction
- Full system compromise is possible upon successful exploitation
Technical analysis and proof-of-concept details are available in the Chocapikk RCE Analysis and the VulnCheck Advisory.
Detection Methods for CVE-2026-25874
Indicators of Compromise
- Unexpected network connections to LeRobot gRPC ports from untrusted sources
- Anomalous process spawning from LeRobot Python processes
- Unusual system commands or shell activity originating from the LeRobot service context
- Network traffic containing pickle-serialized payloads with suspicious __reduce__ or code execution patterns
Detection Strategies
- Monitor network traffic to gRPC endpoints for connections from unauthorized IP addresses
- Implement application-level logging to capture all incoming gRPC requests and payloads
- Deploy endpoint detection and response (EDR) solutions to identify process injection or unusual child process creation from LeRobot processes
- Use network intrusion detection systems (NIDS) to flag unencrypted gRPC traffic containing pickle serialization markers
Monitoring Recommendations
- Enable verbose logging for LeRobot policy server and robot client components
- Configure alerts for any process execution events spawned by the LeRobot service user
- Monitor for unexpected outbound network connections that may indicate post-exploitation activity
- Implement network segmentation to restrict access to LeRobot gRPC endpoints to trusted hosts only
How to Mitigate CVE-2026-25874
Immediate Actions Required
- Restrict network access to LeRobot gRPC endpoints using firewall rules, allowing only trusted IP addresses
- Isolate LeRobot deployments in segmented network zones until patches can be applied
- Monitor for any signs of compromise using the detection strategies outlined above
- Review system logs for any historical evidence of exploitation attempts
Patch Information
The vulnerability has been addressed in the LeRobot repository. Users should refer to GitHub Pull Request #3048 for the security fix. Upgrade to a patched version as soon as available by monitoring the official repository and release notes.
Additional context and discussion can be found in GitHub Issue #3047 and GitHub Issue #3134.
Workarounds
- Implement network-level access controls (firewalls, security groups) to restrict gRPC endpoint access to trusted hosts only
- Deploy a TLS-terminating proxy in front of LeRobot gRPC services to add encryption and potentially authentication
- Run LeRobot services in isolated containers or sandboxed environments to limit the blast radius of potential exploitation
- Consider disabling the async inference pipeline if not required for your use case until a patch is applied
# Example: Restrict gRPC port access using iptables
# Allow only trusted IP range to access LeRobot gRPC port (example port 50051)
iptables -A INPUT -p tcp --dport 50051 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 50051 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
