Description

The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. In versions below 4.6.1.dev138, the Assemblyline 4 Service Client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as `../../../etc/cron.d/evil` and force the client to write the downloaded bytes to an arbitrary location on disk. This is fixed in version 4.6.1.dev138.

INFO

Published Date :

2025-08-09T02:02:23.602Z

Last Modified :

2025-08-12T13:26:26.900Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-55013 vulnerability.

Vendors Products
Assemblyline Project
  • Assemblyline
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-55013.

URL Resource
https://github.com/CybercentreCanada/assemblyline-service-client/commit/351414e7e96cc1f5640ae71ae51b939e8ba30900 cve-icon cve-icon
https://github.com/CybercentreCanada/assemblyline/security/advisories/GHSA-75jv-vfxf-3865 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact