CVE-2025-55013
August 09, 2025
The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. In versions below 4.6.1.dev138, the Assemblyline 4 Service Client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as "../../../etc/cron.d/evil" and force the client to write the downloaded bytes to an arbitrary location on disk. This is fixed in version 4.6.1.dev138.
Affected Packages
https://github.com/CybercentreCanada/assemblyline-service-client.git (GITHUB):
Affected version(s) >=v4.6.1.dev1 <v4.6.1.dev138Fix Suggestion:
Update to version v4.6.1.dev138assemblyline-service-client (PYTHON):
Affected version(s) >=4.6.1.dev0 <4.6.1.dev138Fix Suggestion:
Update to version 4.6.1.dev138assemblyline-service-client (PYTHON):
Affected version(s) >=4.6.1.dev1 <4.6.1.dev138Fix Suggestion:
Update to version 4.6.1.dev138Related ResourcesĀ (4)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
4.2
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Relative Path Traversal
EPSS
Base Score:
0.02
