CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-25302: Rembg CORS misconfiguration

8.7 CVSS

Description

Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the CORS middleware is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be enabled, allow_credentials is set to True, which would allow any website to send authenticated cross site requests.

Classification

CVE ID: CVE-2025-25302

CVSS Base Severity: HIGH

CVSS Base Score: 8.7

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem Types

CWE-346: Origin Validation Error

Affected Products

Vendor: danielgatis

Product: rembg

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.01% (probability of being exploited)

EPSS Percentile: 0.44% (scored less or equal to compared to others)

EPSS Date: 2025-04-01 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-25302
https://securitylab.github.com/advisories/GHSL-2024-161_GHSL-2024-162_rembg/
https://github.com/danielgatis/rembg/blob/d1e00734f8a996abf512a3a5c251c7a9a392c90a/rembg/commands/s_command.py#L93

Timeline

2025-03-03 17:40:21 UTC
CVE

Rembg CORS misconfiguration
2025-03-11 22:15:23 UTC
Github Advisory Database (PIP)

[rembg] Rembg CORS misconfiguration