CVE-2025-55013

MEDIUM

Assemblyline 4 <4.6.1.dev138 - Path Traversal

Title source: llm

Description

The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. In versions below 4.6.1.dev138, the Assemblyline 4 Service Client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as `../../../etc/cron.d/evil` and force the client to write the downloaded bytes to an arbitrary location on disk. This is fixed in version 4.6.1.dev138.

References (2)

Scores

CVSS v3 4.2
EPSS 0.0002
EPSS Percentile 6.2%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Classification

CWE
CWE-23
Status draft

Affected Products (1)

pypi/assemblyline-service-client < 4.6.0.stable11PyPI

Timeline

Published Aug 09, 2025
Tracked Since Feb 18, 2026