CVE-2025-25302

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-25302
Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the CORS middleware is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be enabled, allow_credentials is set to True, which would allow any website to send authenticated cross site requests.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/danielgatis/rembg/blob/d1e00734f8a996abf512a3a5c251c7a9a392c90a/rembg/commands/s_command.py#L93 Product
https://securitylab.github.com/advisories/GHSL-2024-161_GHSL-2024-162_rembg/ Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:danielgatis:rembg:*:*:*:*:*:*:*:*
History

21 Mar 2025, 13:35

Type Values Removed Values Added
Summary
  • (es) Rembg es una herramienta para eliminar el fondo de las imágenes. En Rembg 2.0.57 y versiones anteriores, el middleware CORS está configurado incorrectamente. Se reflejan todos los orígenes, lo que permite que cualquier sitio web envíe solicitudes entre sitios al servidor rembg y, por lo tanto, consulte cualquier API. Incluso si se habilitara la autenticación, allow_credentials se establece en True, lo que permitiría que cualquier sitio web envíe solicitudes autenticadas entre sitios.
First Time Danielgatis
Danielgatis rembg
CPE cpe:2.3:a:danielgatis:rembg:*:*:*:*:*:*:*:*
References () https://github.com/danielgatis/rembg/blob/d1e00734f8a996abf512a3a5c251c7a9a392c90a/rembg/commands/s_command.py#L93 - () https://github.com/danielgatis/rembg/blob/d1e00734f8a996abf512a3a5c251c7a9a392c90a/rembg/commands/s_command.py#L93 - Product
References () https://securitylab.github.com/advisories/GHSL-2024-161_GHSL-2024-162_rembg/ - () https://securitylab.github.com/advisories/GHSL-2024-161_GHSL-2024-162_rembg/ - Exploit, Third Party Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.5

03 Mar 2025, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-03 17:15

Updated : 2025-03-21 13:35

NVD link : CVE-2025-25302

Mitre link : CVE-2025-25302

CVE.ORG link : CVE-2025-25302

JSON object : View

Products Affected

danielgatis

  • rembg
CWE
CWE-346

Origin Validation Error