| Title | huggingface lerobot <0.3.3 Execution with Unnecessary Privileges |
|---|
| Description | Description
In the file lerobot/common/robot_devices/robots/lekiwi_remote.py, ZeroMQ sockets are used for communication between the LeKiwi robot control server and external systems. However, the ports for these sockets are publicly exposed without any form of authentication or access control. Specifically:
• Command Socket: Bound to tcp://*:{config.port} for receiving control commands.
• Video Socket: Bound to tcp://*:{config.video_port} for sending sensor data and camera images.
This poses a significant security risk, as any device on the network can connect to these ports and:
Send arbitrary commands to the robot, potentially causing unintended or dangerous behavior.
Access sensitive data, such as camera images and robot state information.
Impact
• Security Risk: Unauthorized access to the robot's control system.
• Safety Risk: Malicious or accidental commands could harm the robot or its surroundings.
• Privacy Risk: Camera images and sensor data could be accessed by unauthorized parties.
Steps to Reproduce
Run the lekiwi_remote.py script on a machine connected to a network.
Use a ZeroMQ client (e.g., zmq.PUSH or zmq.PULL) to connect to the exposed ports.
Send commands to the robot or receive sensor data without any authentication.
Expected behavior
binding to localhost or a specific IP range |
|---|
| User | kexinoh (UID 82084) |
|---|
| Submission | 09/07/2025 11:43 (8 months ago) |
|---|
| Moderation | 09/21/2025 10:24 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 325128 [huggingface LeRobot up to 0.3.3 ZeroMQ Socket lekiwi_remote.py missing authentication] |
|---|
| Points | 17 |
|---|