Refine your search
1 vulnerability found for LeRobot by huggingface
CVE-2025-10772 (GCVE-0-2025-10772)
Vulnerability from cvelistv5
Published
2025-09-21 23:32
Modified
2025-09-22 17:29
Severity ?
5.3 (Medium) - CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
6.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
VLAI Severity ?
EPSS score ?
Summary
A vulnerability was identified in huggingface LeRobot up to 0.3.3. Affected by this vulnerability is an unknown functionality of the file lerobot/common/robot_devices/robots/lekiwi_remote.py of the component ZeroMQ Socket Handler. The manipulation leads to missing authentication. The attack can only be initiated within the local network. The vendor was contacted early about this disclosure but did not respond in any way.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| huggingface | LeRobot |
Version: 0.3.0 Version: 0.3.1 Version: 0.3.2 Version: 0.3.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10772",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-22T17:29:44.471588Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T17:29:49.394Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/?submit.649798"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"ZeroMQ Socket Handler"
],
"product": "LeRobot",
"vendor": "huggingface",
"versions": [
{
"status": "affected",
"version": "0.3.0"
},
{
"status": "affected",
"version": "0.3.1"
},
{
"status": "affected",
"version": "0.3.2"
},
{
"status": "affected",
"version": "0.3.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "kexinoh (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in huggingface LeRobot up to 0.3.3. Affected by this vulnerability is an unknown functionality of the file lerobot/common/robot_devices/robots/lekiwi_remote.py of the component ZeroMQ Socket Handler. The manipulation leads to missing authentication. The attack can only be initiated within the local network. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in huggingface LeRobot bis 0.3.3 gefunden. Es geht dabei um eine nicht klar definierte Funktion der Datei lerobot/common/robot_devices/robots/lekiwi_remote.py der Komponente ZeroMQ Socket Handler. Mittels Manipulieren mit unbekannten Daten kann eine missing authentication-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei im lokalen Netzwerk erfolgen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:ND",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-21T23:32:05.896Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-325128 | huggingface LeRobot ZeroMQ Socket lekiwi_remote.py missing authentication",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.325128"
},
{
"name": "VDB-325128 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.325128"
},
{
"name": "Submit #649798 | huggingface lerobot \u003c0.3.3 Execution with Unnecessary Privileges",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.649798"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-21T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-09-21T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-09-21T10:29:51.000Z",
"value": "VulDB entry last update"
}
],
"title": "huggingface LeRobot ZeroMQ Socket lekiwi_remote.py missing authentication"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-10772",
"datePublished": "2025-09-21T23:32:05.896Z",
"dateReserved": "2025-09-21T08:24:47.566Z",
"dateUpdated": "2025-09-22T17:29:49.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}