CVE-2025-25301

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

R

embg is a tool to remove images background. In Rembg 2.0.57 and earlier, the /api/remove endpoint takes a URL query parameter that allows an image to be fetched, processed and returned. An attacker may be able to query this endpoint to view pictures hosted on the internal network of the rembg server. This issue may lead to Information Disclosure.

References

Link	Resource
https://securitylab.github.com/advisories/GHSL-2024-161_GHSL-2024-162_rembg/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:danielgatis:rembg:*:*:*:*:*:*:*:*

History

07 Mar 2025, 20:42

Type	Values Removed	Values Added
References	~~() https://securitylab.github.com/advisories/GHSL-2024-161_GHSL-2024-162_rembg/ -~~	() https://securitylab.github.com/advisories/GHSL-2024-161_GHSL-2024-162_rembg/ - Exploit, Third Party Advisory
CPE		cpe:2.3:a:danielgatis:rembg::::::::
First Time		Danielgatis rembg Danielgatis
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
Summary		(es) Rembg es una herramienta para eliminar el fondo de las imágenes. En Rembg 2.0.57 y versiones anteriores, el punto de conexión /api/remove toma un parámetro de consulta de URL que permite obtener, procesar y devolver una imagen. Un atacante podría consultar este endpoint para ver imágenes alojadas en la red interna del servidor de Rembg. Este problema puede provocar una divulgación de información.

03 Mar 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-03 17:15

Updated : 2025-03-07 20:42

NVD link : CVE-2025-25301

Mitre link : CVE-2025-25301

CVE.ORG link : CVE-2025-25301

JSON object : View

Products Affected

danielgatis

rembg

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2025-25301", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-03-03T17:15:14.740", "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2024-161_GHSL-2024-162_rembg/", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the /api/remove endpoint takes a URL query parameter that allows an image to be fetched, processed and returned. An attacker may be able to query this endpoint to view pictures hosted on the internal network of the rembg server. This issue may lead to Information Disclosure."}, {"lang": "es", "value": "Rembg es una herramienta para eliminar el fondo de las im\u00e1genes. En Rembg 2.0.57 y versiones anteriores, el punto de conexi\u00f3n /api/remove toma un par\u00e1metro de consulta de URL que permite obtener, procesar y devolver una imagen. Un atacante podr\u00eda consultar este endpoint para ver im\u00e1genes alojadas en la red interna del servidor de Rembg. Este problema puede provocar una divulgaci\u00f3n de informaci\u00f3n."}], "lastModified": "2025-03-07T20:42:09.360", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:danielgatis:rembg:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7252EC1C-8869-467E-A752-182C1C4A2430", "versionEndIncluding": "2.0.57"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}