exploitDog

CVE-2025-25302

Опубликовано: 03 мар. 2025

Источник: nvd

CVSS3: 6.5

EPSS Низкий

Описание

Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the CORS middleware is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be enabled, allow_credentials is set to True, which would allow any website to send authenticated cross site requests.

Ссылки

https://github.com/danielgatis/rembg/blob/d1e00734f8a996abf512a3a5c251c7a9a392c90a/rembg/commands/s_command.py#L93
Product
https://securitylab.github.com/advisories/GHSL-2024-161_GHSL-2024-162_rembg/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:danielgatis:rembg:*:*:*:*:*:*:*:*

Версия до 2.0.57 (включая)

EPSS

Процентиль: 11%

0.00038

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-346

CWE-346

Связанные уязвимости

GHSA-59qh-fmm7-3g9q

github

11 месяцев назад

Rembg CORS misconfiguration

EPSS

Процентиль: 11%

0.00038

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-346

CWE-346