GHSA-75jv-vfxf-3865: Assemblyline 4 service client vulnerable to Arbitrary Write through path traversal in Client code

July 25, 2025

The Assemblyline 4 service client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.

No validation / sanitisation is performed.

A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as ../../../etc/cron.d/evil and force the client to write the downloaded bytes to an arbitrary location on disk.

References

github.com/CybercentreCanada/assemblyline-service-client
github.com/CybercentreCanada/assemblyline-service-client/commit/351414e7e96cc1f5640ae71ae51b939e8ba30900
github.com/CybercentreCanada/assemblyline/security/advisories/GHSA-75jv-vfxf-3865
github.com/advisories/GHSA-75jv-vfxf-3865

Code Behaviors & Features

Detect and mitigate GHSA-75jv-vfxf-3865 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →