Rembg Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability has been identified in the Rembg HTTP server, prior to version 2.0.75. This vulnerability allows unauthenticated remote attackers to read arbitrary files from the server's filesystem. By sending a crafted request with a malicious 'model_path' parameter, an attacker can manipulate the server into loading any file as an ONNX model. This exploitation can reveal the existence, permissions, and potentially the contents of the file through error messages. The vulnerability arises from insufficient validation of file paths in the custom model feature, which is exposed via the HTTP API without restrictions.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, such as configuration files or environment variables, and could potentially allow for further attacks based on the disclosed information.

Reproduction

To reproduce this vulnerability, start the Rembg server in HTTP mode. Then, send a POST request to the '/api/remove' endpoint with the 'extras' parameter containing a JSON object that includes a malicious 'model_path' value. The request must also include a file, such as a minimal PNG image, to meet the API's requirements. Once the request is processed, the server will attempt to load the specified file as an ONNX model, and any error messages generated will indicate whether the file was successfully accessed.

Remediation

Users are advised to update to Rembg version 2.0.75 or later, where this vulnerability has been fixed. For those who cannot update, consider disabling custom model support in the HTTP API or validating model paths against an allowlist.