Cross-Site Request Forgery Vulnerability in Rembg Tool
CVE-2025-25302

8.7HIGH

Key Information:

Vendor: Danielgatis
Status: Rembg
Vendor: CVE Published:; 3 March 2025

🔔 Create Danielgatis Vulnerability Alert

What is CVE-2025-25302?

The Rembg tool, used for image background removal, is affected by a critical misconfiguration in its Cross-Origin Resource Sharing (CORS) middleware. This flaw allows all origins to be reflected, enabling any website to issue cross-site requests to the Rembg server. As a result, malicious websites can potentially query APIs directly. Compounding the issue, even if authentication measures are applied, the 'allow_credentials' setting is configured to True, thereby permitting unauthorized sites to send authenticated requests. Ensuring correct CORS configuration is essential to safeguard against these vulnerabilities.

Affected Version(s)

rembg <= 2.0.57

References

https://securitylab.github.com/advisories/GHSL-2024-161_G...

x_refsource_CONFIRM

https://github.com/danielgatis/rembg/blob/d1e00734f8a996a...

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 3, 2025
Vulnerability Reserved
Feb 6, 2025

CVE-2025-25302 Data

JSON