Critical Unpatched Flaw in Hugging Face LeRobot Enables Unauthenticated RCE
Cybersecurity researchers from Eclypsium have disclosed a critical, unpatched vulnerability in Hugging Face’s open‑source robotics framework LeRobot, which boasts nearly 24,000 GitHub stars. The flaw, tracked as CVE‑2024‑51832, resides in the platform’s task‑scheduler service and can be exploited without any authentication, allowing a remote attacker to execute arbitrary code on the host system.
The weakness stems from a missing access‑control check in the LeRobot API endpoint `/api/run_task`. The endpoint accepts a JSON payload that is directly fed to Python’s `pickle` deserializer, which blindly reconstructs objects from the serialized data. Because the call does not verify the origin or integrity of the request, an attacker can craft a malicious pickle payload that, when deserialized, runs shell commands with the privileges of the LeRobot service—often root. The attack can be launched with a simple HTTP POST request to `http://
LeRobot is widely used for training, simulating, and controlling both simulated and physical robots, making the vulnerability particularly severe. A successful exploit could let adversaries steal proprietary training datasets, modify robot control policies, or cause misbehaving robots in real‑world environments. In the absence of a patch, the research team recommends immediately restricting access to the API via firewall rules, disabling the RPC interface, and monitoring for unusual POST requests to the `/api/run_task` endpoint.
Hugging Face has acknowledged the report and says it is working on a security update that will add proper authentication to the affected endpoint. Users are advised to apply the suggested mitigations and to watch for forthcoming patches. The discovery underscores the growing attack surface of AI‑centric platforms that blend model serving with physical device control, highlighting the need for rigorous security testing in the AI‑robotics ecosystem.