icon

We found results for “

CVE-2025-55013

Good to know:

icon
icon

Date: August 8, 2025

The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. In versions below 4.6.1.dev138, the Assemblyline 4 Service Client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as "../../../etc/cron.d/evil" and force the client to write the downloaded bytes to an arbitrary location on disk. This is fixed in version 4.6.1.dev138.

Severity Score

Severity Score

Weakness Type (CWE)

Relative Path Traversal

CWE-23

Top Fix

icon

Upgrade Version

Upgrade to version assemblyline-service-client - 4.6.1.dev138;assemblyline-service-client - 4.6.1.dev138;https://github.com/CybercentreCanada/assemblyline-service-client.git - null;https://github.com/CybercentreCanada/assemblyline-service-client.git - v4.6.1.dev138

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): ADJACENT_NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): LOW
Availability (A): LOW

Do you need more information?

Contact Us