GHSA-59qh-fmm7-3g9q
First published: Tue Mar 11 2025(Updated: )
Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the CORS middleware is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be enabled, allow_credentials is set to True, which would allow any website to send authenticated cross site requests.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/rembg | <=2.0.57 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of GHSA-59qh-fmm7-3g9q?
The severity of GHSA-59qh-fmm7-3g9q is considered moderate due to improper CORS configuration allowing potential cross-site request forgery.
How do I fix GHSA-59qh-fmm7-3g9q?
To fix GHSA-59qh-fmm7-3g9q, upgrade Rembg to version 2.0.58 or later to ensure proper CORS settings.
What specific issue does GHSA-59qh-fmm7-3g9q address regarding CORS?
GHSA-59qh-fmm7-3g9q addresses the issue where all origins are reflected, allowing unauthorized cross-site requests to the rembg server.
Which versions of Rembg are affected by GHSA-59qh-fmm7-3g9q?
Rembg versions up to and including 2.0.57 are affected by GHSA-59qh-fmm7-3g9q.
Can GHSA-59qh-fmm7-3g9q lead to data exposure?
Yes, GHSA-59qh-fmm7-3g9q can lead to data exposure as it allows any website to send requests to the rembg server.
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-59qh-fmm7-3g9q
- alias/CVE-2025-25302
- agent/software-canonical-lookup
- agent/weakness
- agent/source
- agent/softwarecombine
- agent/references
- agent/last-modified-date
- agent/type
- agent/description
- agent/first-publish-date
- agent/tags
- agent/event
- package-manager/pip