Is rembg safe to use?

rembg has 6 known vulnerabilities on the latest version (2.0.53). DepScope rates its health at 20/100 (critical risk).

What is the latest version of rembg?

The latest version of rembg is 2.0.53, released 2025-04-22.

Does rembg have known vulnerabilities?

Yes. rembg has 6 known vulnerabilities. See depscope.dev/pkg/conda/rembg for details.

No, rembg is actively maintained. Latest release: 2.0.53 (2025-04-22).

What are alternatives to rembg?

DepScope has no curated alternatives for rembg at this time.

rembg

condav2.0.53

Remove image background

License MITpermissive3 versions1 maintainers0 deps57 weekly dl

danielgatis/rembg

/ 100

Health

update required

[email protected] has vulnerabilities — update to latest

Update to >= 2.0.58 to fix known vulnerabilities

Low health score (20/100)
2 high severity vulnerabilities

Health breakdown0 – 100

5/25

maintenance

0/20

popularity

7/25

security

6/15

maturity

2/15

community

Vulnerabilities

2 high4 medium

Advisories (6)

Severity	ID	Summary	Fixed in
medium	CVE-2026-40086	Rembg has a Path Traversal via Custom Model Loading	2.0.75
medium	GHSA-55v6-g8pm-pw4c	rembg server is vulnerable to Server-Side Request Forgery (SSRF) and a weak default CORS configuration	2.0.75
high	CVE-2025-25302	Rembg CORS misconfiguration	—
medium	CVE-2025-25301	Rembg allows SSRF via /api/remove	—
high	CVE-2025-25301	Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the /api/remove endpoint takes a URL query parameter that allows an image to be fetched, processed and returned. An attacker may be able to query this endpoint to view pictures hosted on the internal network of the rembg server. This issue may lead to Information Disclosure.	2.0.58
medium	CVE-2025-25302	Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the CORS middleware is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be enabled, allow_credentials is set to True, which would allow any website to send authenticated cross site requests.	2.0.58

Health History

Dependency Tree

License Audit

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/conda/rembg

First published · 2023-10-27 20:30:10.177000+00:00

Last updated · 2025-04-22 14:58:50.292000+00:00

Severity

Summary

Fixed in

medium

CVE-2026-40086

Rembg has a Path Traversal via Custom Model Loading

2.0.75

medium

GHSA-55v6-g8pm-pw4c

rembg server is vulnerable to Server-Side Request Forgery (SSRF) and a weak default CORS configuration

2.0.75

high

CVE-2025-25302

Rembg CORS misconfiguration

—

medium

CVE-2025-25301

Rembg allows SSRF via /api/remove

—

high

CVE-2025-25301

Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the /api/remove endpoint takes a URL query parameter that allows an image to be fetched, processed and returned. An attacker may be able to query this endpoint to view pictures hosted on the internal network of the rembg server. This issue may lead to Information Disclosure.

2.0.58

medium

CVE-2025-25302

Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the CORS middleware is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be enabled, allow_credentials is set to True, which would allow any website to send authenticated cross site requests.

2.0.58