
We found results for “”
CVE-2025-55013
Good to know:


Date: August 8, 2025
The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. In versions below 4.6.1.dev138, the Assemblyline 4 Service Client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as "../../../etc/cron.d/evil" and force the client to write the downloaded bytes to an arbitrary location on disk. This is fixed in version 4.6.1.dev138.
Severity Score
Related Resources (5)
Severity Score
Weakness Type (CWE)
Relative Path Traversal
CWE-23Top Fix

Upgrade Version
Upgrade to version assemblyline-service-client - 4.6.1.dev138;assemblyline-service-client - 4.6.1.dev138;https://github.com/CybercentreCanada/assemblyline-service-client.git - null;https://github.com/CybercentreCanada/assemblyline-service-client.git - v4.6.1.dev138
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | ADJACENT_NETWORK |
Attack Complexity (AC): | HIGH |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | NONE |
Integrity (I): | LOW |
Availability (A): | LOW |