LeRobot Unsafe Deserialization Vulnerability in gRPC Pipeline Leading to Remote Code Execution

A vulnerability allowing arbitrary code execution has been identified in LeRobot versions through 0.5.1. This issue arises from unsafe deserialization of data using pickle.loads() in the asynchronous inference pipeline. The vulnerability is present in the policy server and robot client components, where data is deserialized over unauthenticated gRPC channels without TLS. An unauthenticated, network-reachable attacker can exploit this by sending a crafted pickle payload through the SendPolicyInstructions, SendObservations, or GetActions gRPC calls.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the affected server or client.

Reproduction

The vulnerability can be reproduced by sending a malicious pickle payload through the vulnerable gRPC methods. The server will execute the payload during the deserialization process, before any validation is applied.

Remediation

A fix has been implemented in LeRobot version 0.6.0, which replaces the unsafe pickle serialization with a safer alternative using safetensors and JSON. Users are advised to update to this version.