CVE-2025-55013
📋 TL;DR
This vulnerability allows a malicious or compromised Assemblyline 4 server (or any MITM attacker) to write arbitrary files to any location on the client's filesystem by providing path-traversal payloads in SHA-256 values. It affects all Assemblyline 4 Service Client installations below version 4.6.1.dev138 that communicate with untrusted or potentially compromised servers.
💻 Affected Systems
- Assemblyline 4 Service Client
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could write malicious files to critical system locations (e.g., /etc/cron.d, startup scripts, SSH keys) leading to complete system compromise, persistence, or data destruction.
Likely Case
A compromised Assemblyline server could deploy malware or backdoors to client systems, potentially spreading through the analysis infrastructure.
If Mitigated
With proper network segmentation and server authentication, impact is limited to the specific client service account's permissions.
🎯 Exploit Status
Exploitation requires either a compromised Assemblyline server or MITM position between client and server. The vulnerability is in how the client processes server responses.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.6.1.dev138 and above
Vendor Advisory: https://github.com/CybercentreCanada/assemblyline/security/advisories/GHSA-75jv-vfxf-3865
Restart Required: No
Instructions:
1. Update Assemblyline 4 Service Client to version 4.6.1.dev138 or higher. 2. Verify the fix by checking the commit 351414e7e96cc1f5640ae71ae51b939e8ba30900 is present. 3. No service restart required for the fix to take effect.
🔧 Temporary Workarounds
Network Segmentation and Server Authentication
allRestrict client communication to trusted Assemblyline servers only using network controls and strong server authentication.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Assemblyline clients from untrusted networks
- Use application allowlisting to prevent execution of unauthorized files written to unexpected locations
🔍 How to Verify
Check if Vulnerable:
Check if Assemblyline 4 Service Client version is below 4.6.1.dev138. Review task_handler.py for direct use of SHA-256 values as file paths without sanitization.Check Version:
Check the Assemblyline service client version in your deployment configuration or run: python -c "import assemblyline_service_client; print(assemblyline_service_client.__version__)"Verify Fix Applied:
Verify the installation includes commit 351414e7e96cc1f5640ae71ae51b939e8ba30900 which adds path sanitization in task_handler.py.📡 Detection & Monitoring
Log Indicators:
- Unexpected file writes outside expected Assemblyline directories
- File operations with path traversal patterns (../) in file paths
Network Indicators:
- Unusual network traffic patterns between Assemblyline clients and servers
- MITM detection alerts between client-server communication
SIEM Query:
source="assemblyline" AND (file_path="*../*" OR file_operation="write" AND file_path NOT STARTS WITH "/expected/assemblyline/path/")