Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE
Summary
A critical unpatched vulnerability (CVE-2026-25874) has been discovered in Hugging Face's LeRobot, an open-source robotics platform. This flaw, rated with a CVSS score of 9.3, allows for unauthenticated remote code execution due to untrusted data deserialization.
IFF Assessment
This flaw enables unauthenticated remote code execution, which is a severe threat to system security and data integrity.
Severity
The high CVSS score of 9.3 reflects the severity of unauthenticated remote code execution, which allows an attacker to gain full control of the affected system without needing any prior credentials.
Defender Context
Defenders should prioritize patching or mitigating this vulnerability on any systems utilizing Hugging Face's LeRobot platform. The ease of exploitation and high impact of remote code execution make this a significant risk for any organization involved in robotics or AI development.