CVE-2025-25301

CVE-2025-25301 is an information disclosure vulnerability in Rembg, a tool for removing image backgrounds, affecting versions 2.0.57 and earlier. The issue stems from the /api/remove endpoint, which accepts a URL query parameter to fetch, process, and return an image. An attacker can supply an internal network URL via this parameter, causing the rembg server to retrieve and expose images hosted on its internal network. This flaw is classified as CWE-918 (Server-Side Request Forgery) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.

Any unauthenticated remote attacker with network access to the rembg server can exploit this vulnerability. By crafting a request to the /api/remove endpoint with a URL pointing to an internal resource, such as a private image server, the attacker tricks the server into fetching the image, processing it for background removal, and returning the result. This enables unauthorized viewing of sensitive internal images without requiring privileges or user interaction.

The GitHub Security Lab advisory (GHSL-2024-161 and GHSL-2024-162) provides further details on this vulnerability at https://securitylab.github.com/advisories/GHSL-2024-161_GHSL-2024-162_rembg/. Security practitioners should consult this reference for recommended mitigations and patches.