CVE-2025-55013

CVE-2025-55013 is a medium-severity security vulnerability in assemblyline-service-client (pip), affecting versions < 4.6.0.stable11. It is fixed in 4.6.0.stable11, 4.6.1.dev138.

Summary

Path-Traversal -> Arbitrary File Write in Assemblyline Service Client

IMPORTANT: This vulnerability is valid if you decide to use the assemblyline-service-client outside of the normal practice to using Assemblyline in a production environment. In practice, this code should always be executed within a containerized environment such as assemblyline-v4-service which ensures filesystem-level permissions of what the running user is allowed to access. Furthermore, there is fewer chances for a MiTM compromise when deployed properly in a Docker or Kubernetes deployment where the platform will assign the correct network policies to secure connections between containers instead of relying on the user to set this up manually.

See https://github.com/CybercentreCanada/assemblyline/issues/382 for further discussion.

1. Summary

The Assemblyline 4 service client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.

No validation / sanitisation is performed.

A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as
../../../etc/cron.d/evil
and force the client to write the downloaded bytes to an arbitrary location on disk.

2. Affected Versions

Item Value
Component assemblyline-service-client
Repository CybercentreCanada/assemblyline-service-client
Affected All releases up to master branch.

3. CVSS 3.1 Vector & Score

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

4. Technical Details

Field Content
Location assemblyline_service_client/task_handler.py, inside download_file()
Vulnerable Line file_path = os.path.join(self.tasking_dir, sha256)
Root Cause The sha256 string is taken directly from the service-server JSON response and used as a file name without any validation or sanitisation.
Exploit Flow 1. Attacker (service server) returns HTTP 200 for GET /api/v1/file/../../../etc/cron.d/evil.
2. Client writes the response body to /etc/cron.d/evil.
3. Achieves arbitrary file write (code execution if file is executable).

5. Impact

  • Integrity, Overwrite any file writable by the service UID (often root).
  • Availability, Corrupt critical files or exhaust disk space.
  • Code Execution, Drop cron jobs, systemd units, or overwrite binaries.

6. Mitigation / Fix

import re

_SHA256_RE = re.compile(r'^[0-9a-fA-F]{64}\Z')

def download_file(self, sha256: str, sid: str) -> Optional[str]:
    if not _SHA256_RE.fullmatch(sha256):
        self.log.error(f"[{sid}] Invalid SHA256: {sha256}")
        self.status = STATUSES.ERROR_FOUND
        return None
    # or your preferred way to check if a string is a shasum.

Impact

CVE-2025-55013 has a CVSS score of 4.2 (Medium). The vector is reachable from an adjacent network, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.6.0.stable11, 4.6.1.dev138); upgrading removes the vulnerable code path.

Affected versions

assemblyline-service-client (< 4.6.0.stable11) assemblyline-service-client (>= 4.6.1.dev0, < 4.6.1.dev138)

Security releases

assemblyline-service-client → 4.6.0.stable11 (pip) assemblyline-service-client → 4.6.1.dev138 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

assemblyline-service-client to 4.6.0.stable11 or later; assemblyline-service-client to 4.6.1.dev138 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2025-55013? CVE-2025-55013 is a medium-severity security vulnerability in assemblyline-service-client (pip), affecting versions < 4.6.0.stable11. It is fixed in 4.6.0.stable11, 4.6.1.dev138.
  2. How severe is CVE-2025-55013? CVE-2025-55013 has a CVSS score of 4.2 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of assemblyline-service-client are affected by CVE-2025-55013? assemblyline-service-client (pip) versions < 4.6.0.stable11 is affected.
  4. Is there a fix for CVE-2025-55013? Yes. CVE-2025-55013 is fixed in 4.6.0.stable11, 4.6.1.dev138. Upgrade to this version or later.
  5. Is CVE-2025-55013 exploitable, and should I be worried? Whether CVE-2025-55013 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-55013 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2025-55013?
    • Upgrade assemblyline-service-client to 4.6.0.stable11 or later
    • Upgrade assemblyline-service-client to 4.6.1.dev138 or later

Other vulnerabilities in assemblyline-service-client

Stop the waste.
Protect your environment with Kodem.