PT-2025-9520 · Rembg · Rembg

Kevin Stubbings

Published

2025-03-03

Updated

2025-03-21

CVE-2025-25302

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Rembg versions 2.0.57 and earlier

Description The issue concerns the CORS middleware setup in Rembg, which is configured to reflect all origins. This allows any website to send cross-site requests to the Rembg server, enabling them to query any API. Furthermore, even if authentication is enabled, the allow credentials setting is set to True, which would permit any website to send authenticated cross-site requests.

Recommendations For Rembg versions 2.0.57 and earlier, update the CORS middleware configuration to only reflect trusted origins and set allow credentials to False to prevent unauthorized cross-site requests.

Exploit

Fix

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-346

Related Identifiers

CVE-2025-25302

GHSA-59QH-FMM7-3G9Q

PYSEC-2025-25

Affected Products

Rembg

PT-2025-9520 · Rembg · Rembg

CVE-2025-25302

Weakness Enumeration

Related Identifiers

Affected Products

References · 12