CVE Alert: CVE-2025-55013
Vulnerability Summary: CVE-2025-55013
The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. In versions below 4.6.1.dev138, the Assemblyline 4 Service Client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as `../../../etc/cron.d/evil` and force the client to write the downloaded bytes to an arbitrary location on disk. This is fixed in version 4.6.1.dev138.
Affected Endpoints:
No affected endpoints listed.
Published Date:
8/9/2025, 3:15:47 AM
💀 CVSS Score:
Exploit Status:
Not ExploitedEPS Score: 0.00044 | Ranking EPS: 0.12414
References:
- https://github.com/CybercentreCanada/assemblyline-service-client/commit/351414e7e96cc1f5640ae71ae51b939e8ba30900
- https://github.com/CybercentreCanada/assemblyline/security/advisories/GHSA-75jv-vfxf-3865
Recommended Action:
No proposed action available. Please refer to vendor documentation for updates.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
