CVE-2025-25302: Rembg CORS misconfiguration

March 11, 2025

Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the CORS middleware is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be enabled, allow_credentials is set to True, which would allow any website to send authenticated cross site requests.

References

github.com/advisories/GHSA-59qh-fmm7-3g9q
github.com/danielgatis/rembg
github.com/danielgatis/rembg/blob/d1e00734f8a996abf512a3a5c251c7a9a392c90a/rembg/commands/s_command.py
nvd.nist.gov/vuln/detail/CVE-2025-25302
securitylab.github.com/advisories/GHSL-2024-161_GHSL-2024-162_rembg

Detect and mitigate CVE-2025-25302 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →