CVE-2025-55013: Assemblyline 4 service client vulnerable to Arbitrary Write through path traversal in Client code
(updated )
The Assemblyline 4 service client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.
No validation / sanitisation is performed.
A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as
../../../etc/cron.d/evil
and force the client to write the downloaded bytes to an arbitrary location on disk.
References
- github.com/CybercentreCanada/assemblyline-service-client
- github.com/CybercentreCanada/assemblyline-service-client/commit/351414e7e96cc1f5640ae71ae51b939e8ba30900
- github.com/CybercentreCanada/assemblyline/security/advisories/GHSA-75jv-vfxf-3865
- github.com/advisories/GHSA-75jv-vfxf-3865
- nvd.nist.gov/vuln/detail/CVE-2025-55013
Code Behaviors & Features
Detect and mitigate CVE-2025-55013 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →