CVE-2025-25302

Exploit

EPSS 0.18%
Veröffentlicht 03.03.2025 17:15:14
Zuletzt bearbeitet 21.03.2025 13:35:46
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Rembg CORS misconfiguration

Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the CORS middleware is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be enabled, allow_credentials is set to True, which would allow any website to send authenticated cross site requests.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Danielgatis ≫ Rembg Version <= 2.0.57

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.075

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
security-advisories@github.com	8.7	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-346 Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

https://securitylab.github.com/advisories/GHSL-2024-161_GHSL-2024-162_rembg/

Third Party Advisory

Exploit

https://github.com/danielgatis/rembg/blob/d1e00734f8a996abf512a3a5c251c7a9a392c90a/rembg/commands/s_command.py#L93

Product

https://nvd.nist.gov/vuln/detail/CVE-2025-25302

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-25302

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-25302

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-25302