CVE-2025-10772

Summary

A vulnerability was identified in huggingface LeRobot up to 0.3.3. Affected by this vulnerability is an unknown functionality of the file lerobot/common/robot_devices/robots/lekiwi_remote.py of the component ZeroMQ Socket Handler. The manipulation leads to missing authentication. The attack can only be initiated within the local network. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
huggingfaceLeRobot0.3.0affected
huggingfaceLeRobot0.3.1affected
huggingfaceLeRobot0.3.2affected
huggingfaceLeRobot0.3.3affected

Weaknesses

  • CWE-306: Missing Authentication
  • CWE-287: Improper Authentication

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References