VYPR
Get started
← All advisories
Medium severity4.2NVD Advisory· Published Aug 9, 2025· Updated Apr 15, 2026

CVE-2025-55013

CVE-2025-55013

Description

The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. In versions below 4.6.1.dev138, the Assemblyline 4 Service Client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as ../../../etc/cron.d/evil and force the client to write the downloaded bytes to an arbitrary location on disk. This is fixed in version 4.6.1.dev138.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
assemblyline-service-clientPyPI
< 4.6.0.stable114.6.0.stable11
assemblyline-service-clientPyPI
>= 4.6.1.dev0, < 4.6.1.dev1384.6.1.dev138

Patches

1
351414e7e96c

Merge pull request #81 from CybercentreCanada/GHSA-75jv-vfxf-3865

https://github.com/cybercentrecanada/assemblyline-service-clientcccs-rsJul 25, 2025via osv
commit
1 file changed · +9 1
  • assemblyline_service_client/task_handler.py+9 1 modified
    @@ -12,11 +12,13 @@
 
 import requests
 import yaml
+from assemblyline_core.server_base import ServerBase
+
 from assemblyline.common.digests import get_sha256_for_file
 from assemblyline.common.str_utils import StringTable
+from assemblyline.odm import SHA256_REGEX
 from assemblyline.odm.messages.task import Task as ServiceTask
 from assemblyline.odm.models.service import Service
-from assemblyline_core.server_base import ServerBase
 
 STATUSES = StringTable('STATUSES', [
     ('INITIALIZING', 0),
@@ -365,6 +367,12 @@ def get_task(self) -> ServiceTask:
         return task
 
     def download_file(self, sha256, sid) -> Optional[str]:
+        if not SHA256_REGEX.match(sha256):
+            # If the SHA256 is not valid, we cannot download the file
+            self.log.error(f"[{sid}] Invalid SHA256 provided: {sha256}")
+            self.status = STATUSES.ERROR_FOUND
+            return None
+
         self.status = STATUSES.DOWNLOADING_FILE
         received_file_sha256 = ''
         file_path = None

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.