We use cookies to improve your experience on our site.
AVID-2026-R1669
Description
Rembg CORS misconfiguration (CVE-2025-25302)
Details
Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the CORS middleware is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be enabled, allow_credentials is set to True, which would allow any website to send authenticated cross site requests.
Reason for inclusion in AVID: CVE-2025-25302 describes a CORS misconfiguration in rembg that could allow cross-site requests and data exposure via a server API. This is a software vulnerability in a component commonly used in AI image-processing pipelines, i.e., a general-purpose AI system supply chain artifact. The report provides clear evidence (CVE, description, references, and code links) supporting its AI relevance and security impact.
References
- NVD entry
- https://securitylab.github.com/advisories/GHSL-2024-161_GHSL-2024-162_rembg/
- https://github.com/danielgatis/rembg/blob/d1e00734f8a996abf512a3a5c251c7a9a392c90a/rembg/commands/s_command.py#L93
Affected or Relevant Artifacts
- Developer: danielgatis
- Deployer: danielgatis
- Artifact Details:
| Type | Name |
|---|---|
| System | rembg |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-346 | CWE-346: Origin Validation Error |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-03-03
- Version: 0.3.3
- AVID Entry