CVE-2025-25301: Rembg allows SSRF via /api/remove

March 11, 2025

Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the /api/remove endpoint takes a URL query parameter that allows an image to be fetched, processed and returned. An attacker may be able to query this endpoint to view pictures hosted on the internal network of the rembg server. This issue may lead to Information Disclosure.

References

github.com/advisories/GHSA-r5gx-c49x-h878
github.com/danielgatis/rembg
nvd.nist.gov/vuln/detail/CVE-2025-25301
securitylab.github.com/advisories/GHSL-2024-161_GHSL-2024-162_rembg

Detect and mitigate CVE-2025-25301 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →