CVE-2025-55013

The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. In versions below 4.6.1.dev138, the Assemblyline 4 Service Client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as `../../../etc/cron.d/evil` and force the client to write the downloaded bytes to an arbitrary location on disk. This is fixed in version 4.6.1.dev138.

CVSS v3 4.2 MEDIUM

4.2^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 2.5

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/CybercentreCanada/assemblyline-service-client/commit/351414e7e96cc1f5640ae71ae51b939e8ba30900
https://github.com/CybercentreCanada/assemblyline/security/advisories/GHSA-75jv-vfxf-3865

Configurations

No configuration.

History

No history.

Information

Published : 2025-08-09 03:15

Updated : 2025-08-12 14:15

NVD link : CVE-2025-55013

Mitre link : CVE-2025-55013

CVE.ORG link : CVE-2025-55013

JSON object : View

Products Affected

No product.

CWE

CWE-23

Relative Path Traversal

{"id": "CVE-2025-55013", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 1.6}]}, "published": "2025-08-09T03:15:47.620", "references": [{"url": "https://github.com/CybercentreCanada/assemblyline-service-client/commit/351414e7e96cc1f5640ae71ae51b939e8ba30900", "source": "[email protected]"}, {"url": "https://github.com/CybercentreCanada/assemblyline/security/advisories/GHSA-75jv-vfxf-3865", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-23"}]}], "descriptions": [{"lang": "en", "value": "The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. In versions below 4.6.1.dev138, the Assemblyline 4 Service Client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as `../../../etc/cron.d/evil` and force the client to write the downloaded bytes to an arbitrary location on disk. This is fixed in version 4.6.1.dev138."}, {"lang": "es", "value": "Assemblyline 4 Service Client interact\u00faa con la API para obtener tareas y publicar el resultado de un servicio en Assemblyline 4. En versiones anteriores a la 4.6.1.dev138, el cliente de servicio de Assemblyline 4 (task_handler.py) acepta un valor SHA-256 devuelto por el servidor de servicio y lo usa directamente como nombre de archivo local. Un servidor malicioso o comprometido (o cualquier MITM que pueda comunicarse con el cliente) puede devolver un payload de path traversal como `../../../etc/cron.d/evil` y obligar al cliente a escribir los bytes descargados en una ubicaci\u00f3n arbitraria del disco. Esto se solucion\u00f3 en la versi\u00f3n 4.6.1.dev138."}], "lastModified": "2025-08-12T14:15:29.400", "sourceIdentifier": "[email protected]"}