CVE-2025-10772 MEDIUM

CVE-2025-10772: huggingface LeRobot ZeroMQ Socket lekiwi_remote.py missing authentication

Vendor Huggingface
Product LeRobot
Weakness CWE-306 · Missing auth
Published September 21, 2025
Last update September 22, 2025

CVSS base score

5.3/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X

What the vulnerability does

01Description

A vulnerability was identified in huggingface LeRobot up to 0.3.3. Affected by this vulnerability is an unknown functionality of the file lerobot/common/robot_devices/robots/lekiwi_remote.py of the component ZeroMQ Socket Handler. The manipulation leads to missing authentication. The attack can only be initiated within the local network. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

September 21, 2025 CVE published
September 22, 2025 Record updated