GHSA-55v6-g8pm-pw4c: rembg server is vulnerable to Server-Side Request Forgery (SSRF) and a weak default CORS configuration

April 10, 2026

rembg server is vulnerable to Server-Side Request Forgery (SSRF) and a weak default CORS configuration, which may allow an attacker website to send requests to servers on the internal network and view image responses.

References

github.com/advisories/GHSA-55v6-g8pm-pw4c
github.com/danielgatis/rembg
github.com/danielgatis/rembg/commit/07ad0d493057bddf821dcc3e2410eb7e065257c0
github.com/danielgatis/rembg/releases/tag/v2.0.75
github.com/danielgatis/rembg/security/advisories/GHSA-55v6-g8pm-pw4c

Code Behaviors & Features

Detect and mitigate GHSA-55v6-g8pm-pw4c with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →