GHSA-55V6-G8PM-PW4C: Server-Side Request Forgery and CORS Misconfiguration in rembg API
Vulnerability ID: GHSA-55V6-G8PM-PW4C
CVSS Score: 7.5
Published: 2026-04-10
The rembg library's API server component contains a Server-Side Request Forgery (SSRF) vulnerability and a permissive Cross-Origin Resource Sharing (CORS) misconfiguration. These flaws allow attackers to probe internal networks and perform unauthorized cross-origin requests.
TL;DR
Unvalidated URL parameters in rembg's API enable SSRF attacks against internal network resources, compounded by a permissive CORS configuration that allows credentialed cross-origin requests.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-918
- Attack Vector: Network
- CVSS v3.1 Score: 7.5 (High)
- EPSS Score: 0.00037
- Exploit Status: Proof-of-Concept
- CISA KEV: Not Listed
Affected Systems
- rembg HTTP API Server
-
rembg: <= 2.0.57 (Fixed in:
2.0.75)
Code Analysis
Commit: 07ad0d4
Implemented URL validation for the /api/remove endpoint and restricted CORS middleware.
Mitigation Strategies
- Upgrade the rembg package to version 2.0.75.
- Implement strict egress network filtering for the server host.
- Apply Web Application Firewall (WAF) rules filtering suspicious URLs in the API path.
- Disable HTTP redirects within the aiohttp client configuration if possible.
Remediation Steps:
- Identify all deployments of the rembg API server.
- Update the Python package dependencies to require rembg >= 2.0.75.
- Restart the application services to apply the updated codebase.
- Configure network security groups (NSGs) or firewall rules to block egress traffic from the rembg container to 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.169.254/32.
References
- GitHub Advisory: GHSA-55V6-G8PM-PW4C
- GitHub Security Lab Advisory: GHSL-2024-161 and GHSL-2024-162
- NVD Detail: CVE-2025-25301
Read the full report for GHSA-55V6-G8PM-PW4C on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)