{"id":"CVE-2025-55013","summary":"Assemblyline 4 Service Client: Arbitrary Write through path traversal in Client code","details":"The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. In versions below 4.6.1.dev138, the Assemblyline 4 Service Client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as `../../../etc/cron.d/evil` and force the client to write the downloaded bytes to an arbitrary location on disk. This is fixed in version 4.6.1.dev138.","aliases":["GHSA-75jv-vfxf-3865"],"modified":"2026-04-10T05:30:43.799611Z","published":"2025-08-09T02:02:23.602Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-23"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/55xxx/CVE-2025-55013.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/55xxx/CVE-2025-55013.json"},{"type":"ADVISORY","url":"https://github.com/CybercentreCanada/assemblyline/security/advisories/GHSA-75jv-vfxf-3865"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55013"},{"type":"FIX","url":"https://github.com/CybercentreCanada/assemblyline-service-client/commit/351414e7e96cc1f5640ae71ae51b939e8ba30900"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cybercentrecanada/assemblyline-service-client","events":[{"introduced":"0"},{"fixed":"351414e7e96cc1f5640ae71ae51b939e8ba30900"}]}],"versions":["v4.0.0.dev100","v4.0.0.dev101","v4.0.0.dev102","v4.0.0.dev103","v4.0.0.dev104","v4.0.0.dev105","v4.0.0.dev106","v4.0.0.dev107","v4.0.0.dev108","v4.0.0.dev109","v4.0.0.dev110","v4.0.0.dev111","v4.0.0.dev112","v4.0.0.dev113","v4.0.0.dev114","v4.0.0.dev115","v4.0.0.dev116","v4.0.0.dev117","v4.0.0.dev118","v4.0.0.dev119","v4.0.0.dev120","v4.0.0.dev121","v4.0.0.dev122","v4.0.0.dev123","v4.0.0.dev124","v4.0.0.dev125","v4.0.0.dev126","v4.0.0.dev127","v4.0.0.dev128","v4.0.0.dev129","v4.0.0.dev130","v4.0.0.dev131","v4.0.0.dev132","v4.0.0.dev133","v4.0.0.dev134","v4.0.0.dev135","v4.0.0.dev83","v4.0.0.dev84","v4.0.0.dev85","v4.0.0.dev86","v4.0.0.dev87","v4.0.0.dev88","v4.0.0.dev89","v4.0.0.dev90","v4.0.0.dev91","v4.0.0.dev92","v4.0.0.dev93","v4.0.0.dev94","v4.0.0.dev95","v4.0.0.dev96","v4.0.0.dev97","v4.0.0.dev98","v4.0.0.dev99","v4.0.0.stable0","v4.0.0.stable1","v4.0.0.stable2","v4.0.0.stable3","v4.0.0.stable4","v4.0.0.stable5","v4.0.1.dev1","v4.1.0.stable0","v4.1.0.stable1","v4.1.0.stable10","v4.1.0.stable11","v4.1.0.stable12","v4.1.0.stable13","v4.1.0.stable14","v4.1.0.stable15","v4.1.0.stable16","v4.1.0.stable17","v4.1.0.stable18","v4.1.0.stable19","v4.1.0.stable2","v4.1.0.stable20","v4.1.0.stable21","v4.1.0.stable22","v4.1.0.stable23","v4.1.0.stable24","v4.1.0.stable25","v4.1.0.stable26","v4.1.0.stable27","v4.1.0.stable28","v4.1.0.stable29","v4.1.0.stable3","v4.1.0.stable30","v4.1.0.stable31","v4.1.0.stable32","v4.1.0.stable33","v4.1.0.stable34","v4.1.0.stable35","v4.1.0.stable4","v4.1.0.stable5","v4.1.0.stable6","v4.1.0.stable7","v4.1.0.stable8","v4.1.0.stable9","v4.2.0.stable0","v4.2.0.stable1","v4.2.0.stable10","v4.2.0.stable100","v4.2.0.stable101","v4.2.0.stable102","v4.2.0.stable103","v4.2.0.stable104","v4.2.0.stable105","v4.2.0.stable106","v4.2.0.stable107","v4.2.0.stable108","v4.2.0.stable109","v4.2.0.stable11","v4.2.0.stable110","v4.2.0.stable111","v4.2.0.stable112","v4.2.0.stable113","v4.2.0.stable114","v4.2.0.stable115","v4.2.0.stable116","v4.2.0.stable117","v4.2.0.stable118","v4.2.0.stable119","v4.2.0.stable12","v4.2.0.stable120","v4.2.0.stable121","v4.2.0.stable122","v4.2.0.stable123","v4.2.0.stable124","v4.2.0.stable125","v4.2.0.stable13","v4.2.0.stable14","v4.2.0.stable15","v4.2.0.stable16","v4.2.0.stable17","v4.2.0.stable18","v4.2.0.stable19","v4.2.0.stable2","v4.2.0.stable20","v4.2.0.stable21","v4.2.0.stable22","v4.2.0.stable23","v4.2.0.stable24","v4.2.0.stable25","v4.2.0.stable26","v4.2.0.stable27","v4.2.0.stable28","v4.2.0.stable29","v4.2.0.stable3","v4.2.0.stable30","v4.2.0.stable31","v4.2.0.stable32","v4.2.0.stable33","v4.2.0.stable34","v4.2.0.stable35","v4.2.0.stable36","v4.2.0.stable37","v4.2.0.stable38","v4.2.0.stable39","v4.2.0.stable4","v4.2.0.stable40","v4.2.0.stable41","v4.2.0.stable42","v4.2.0.stable43","v4.2.0.stable44","v4.2.0.stable45","v4.2.0.stable46","v4.2.0.stable47","v4.2.0.stable48","v4.2.0.stable49","v4.2.0.stable5","v4.2.0.stable50","v4.2.0.stable51","v4.2.0.stable52","v4.2.0.stable53","v4.2.0.stable54","v4.2.0.stable55","v4.2.0.stable56","v4.2.0.stable57","v4.2.0.stable58","v4.2.0.stable59","v4.2.0.stable6","v4.2.0.stable60","v4.2.0.stable61","v4.2.0.stable62","v4.2.0.stable63","v4.2.0.stable64","v4.2.0.stable65","v4.2.0.stable66","v4.2.0.stable67","v4.2.0.stable68","v4.2.0.stable69","v4.2.0.stable7","v4.2.0.stable70","v4.2.0.stable71","v4.2.0.stable72","v4.2.0.stable73","v4.2.0.stable74","v4.2.0.stable75","v4.2.0.stable76","v4.2.0.stable77","v4.2.0.stable78","v4.2.0.stable8","v4.2.0.stable80","v4.2.0.stable81","v4.2.0.stable82","v4.2.0.stable83","v4.2.0.stable84","v4.2.0.stable85","v4.2.0.stable86","v4.2.0.stable87","v4.2.0.stable88","v4.2.0.stable89","v4.2.0.stable9","v4.2.0.stable90","v4.2.0.stable91","v4.2.0.stable92","v4.2.0.stable93","v4.2.0.stable94","v4.2.0.stable95","v4.2.0.stable96","v4.2.0.stable97","v4.2.0.stable98","v4.2.0.stable99","v4.2.1.stable124","v4.2.2.stable0","v4.2.2.stable1","v4.2.2.stable10","v4.2.2.stable11","v4.2.2.stable2","v4.2.2.stable3","v4.2.2.stable4","v4.2.2.stable5","v4.2.2.stable6","v4.2.2.stable7","v4.2.2.stable8","v4.2.2.stable9","v4.3.0.stable0","v4.3.0.stable1","v4.3.0.stable10","v4.3.0.stable11","v4.3.0.stable12","v4.3.0.stable13","v4.3.0.stable14","v4.3.0.stable15","v4.3.0.stable16","v4.3.0.stable17","v4.3.0.stable18","v4.3.0.stable19","v4.3.0.stable2","v4.3.0.stable20","v4.3.0.stable21","v4.3.0.stable22","v4.3.0.stable23","v4.3.0.stable24","v4.3.0.stable25","v4.3.0.stable26","v4.3.0.stable27","v4.3.0.stable28","v4.3.0.stable29","v4.3.0.stable3","v4.3.0.stable30","v4.3.0.stable31","v4.3.0.stable32","v4.3.0.stable33","v4.3.0.stable34","v4.3.0.stable35","v4.3.0.stable36","v4.3.0.stable37","v4.3.0.stable38","v4.3.0.stable39","v4.3.0.stable4","v4.3.0.stable40","v4.3.0.stable41","v4.3.0.stable42","v4.3.0.stable43","v4.3.0.stable44","v4.3.0.stable45","v4.3.0.stable46","v4.3.0.stable47","v4.3.0.stable48","v4.3.0.stable49","v4.3.0.stable5","v4.3.0.stable50","v4.3.0.stable51","v4.3.0.stable52","v4.3.0.stable53","v4.3.0.stable54","v4.3.0.stable55","v4.3.0.stable56","v4.3.0.stable57","v4.3.0.stable58","v4.3.0.stable59","v4.3.0.stable6","v4.3.0.stable60","v4.3.0.stable61","v4.3.0.stable62","v4.3.0.stable7","v4.3.0.stable8","v4.3.0.stable9","v4.3.1.stable0","v4.3.1.stable1","v4.3.1.stable10","v4.3.1.stable11","v4.3.1.stable12","v4.3.1.stable13","v4.3.1.stable14","v4.3.1.stable15","v4.3.1.stable16","v4.3.1.stable17","v4.3.1.stable18","v4.3.1.stable19","v4.3.1.stable2","v4.3.1.stable20","v4.3.1.stable21","v4.3.1.stable22","v4.3.1.stable23","v4.3.1.stable24","v4.3.1.stable3","v4.3.1.stable4","v4.3.1.stable5","v4.3.1.stable6","v4.3.1.stable7","v4.3.1.stable8","v4.3.1.stable9","v4.4.0.stable0","v4.4.0.stable1","v4.4.0.stable10","v4.4.0.stable11","v4.4.0.stable12","v4.4.0.stable13","v4.4.0.stable14","v4.4.0.stable15","v4.4.0.stable16","v4.4.0.stable17","v4.4.0.stable18","v4.4.0.stable19","v4.4.0.stable2","v4.4.0.stable20","v4.4.0.stable21","v4.4.0.stable22","v4.4.0.stable23","v4.4.0.stable24","v4.4.0.stable25","v4.4.0.stable26","v4.4.0.stable27","v4.4.0.stable28","v4.4.0.stable29","v4.4.0.stable3","v4.4.0.stable30","v4.4.0.stable31","v4.4.0.stable32","v4.4.0.stable33","v4.4.0.stable34","v4.4.0.stable35","v4.4.0.stable36","v4.4.0.stable37","v4.4.0.stable38","v4.4.0.stable39","v4.4.0.stable4","v4.4.0.stable40","v4.4.0.stable41","v4.4.0.stable42","v4.4.0.stable43","v4.4.0.stable44","v4.4.0.stable45","v4.4.0.stable46","v4.4.0.stable47","v4.4.0.stable48","v4.4.0.stable49","v4.4.0.stable5","v4.4.0.stable50","v4.4.0.stable51","v4.4.0.stable52","v4.4.0.stable53","v4.4.0.stable54","v4.4.0.stable55","v4.4.0.stable56","v4.4.0.stable57","v4.4.0.stable58","v4.4.0.stable59","v4.4.0.stable6","v4.4.0.stable60","v4.4.0.stable61","v4.4.0.stable62","v4.4.0.stable63","v4.4.0.stable64","v4.4.0.stable65","v4.4.0.stable66","v4.4.0.stable67","v4.4.0.stable68","v4.4.0.stable69","v4.4.0.stable7","v4.4.0.stable70","v4.4.0.stable71","v4.4.0.stable72","v4.4.0.stable73","v4.4.0.stable74","v4.4.0.stable75","v4.4.0.stable76","v4.4.0.stable77","v4.4.0.stable78","v4.4.0.stable79","v4.4.0.stable8","v4.4.0.stable80","v4.4.0.stable81","v4.4.0.stable82","v4.4.0.stable83","v4.4.0.stable84","v4.4.0.stable85","v4.4.0.stable86","v4.4.0.stable87","v4.4.0.stable88","v4.4.0.stable89","v4.4.0.stable9","v4.4.0.stable90","v4.4.0.stable91","v4.5.0.stable0","v4.5.0.stable1","v4.5.0.stable10","v4.5.0.stable11","v4.5.0.stable12","v4.5.0.stable13","v4.5.0.stable14","v4.5.0.stable15","v4.5.0.stable16","v4.5.0.stable17","v4.5.0.stable18","v4.5.0.stable19","v4.5.0.stable2","v4.5.0.stable20","v4.5.0.stable21","v4.5.0.stable22","v4.5.0.stable23","v4.5.0.stable24","v4.5.0.stable25","v4.5.0.stable26","v4.5.0.stable27","v4.5.0.stable28","v4.5.0.stable29","v4.5.0.stable3","v4.5.0.stable30","v4.5.0.stable31","v4.5.0.stable32","v4.5.0.stable33","v4.5.0.stable34","v4.5.0.stable35","v4.5.0.stable36","v4.5.0.stable37","v4.5.0.stable38","v4.5.0.stable39","v4.5.0.stable4","v4.5.0.stable40","v4.5.0.stable41","v4.5.0.stable42","v4.5.0.stable43","v4.5.0.stable44","v4.5.0.stable45","v4.5.0.stable46","v4.5.0.stable47","v4.5.0.stable48","v4.5.0.stable49","v4.5.0.stable5","v4.5.0.stable50","v4.5.0.stable51","v4.5.0.stable52","v4.5.0.stable53","v4.5.0.stable54","v4.5.0.stable55","v4.5.0.stable56","v4.5.0.stable57","v4.5.0.stable58","v4.5.0.stable59","v4.5.0.stable6","v4.5.0.stable60","v4.5.0.stable61","v4.5.0.stable62","v4.5.0.stable63","v4.5.0.stable64","v4.5.0.stable65","v4.5.0.stable66","v4.5.0.stable67","v4.5.0.stable68","v4.5.0.stable69","v4.5.0.stable7","v4.5.0.stable70","v4.5.0.stable71","v4.5.0.stable72","v4.5.0.stable73","v4.5.0.stable74","v4.5.0.stable75","v4.5.0.stable76","v4.5.0.stable77","v4.5.0.stable78","v4.5.0.stable79","v4.5.0.stable8","v4.5.0.stable9","v4.5.1.dev431","v4.5.1.dev432","v4.5.1.dev433","v4.5.1.dev434","v4.5.1.dev435","v4.5.1.dev436","v4.5.1.dev437","v4.5.1.dev438","v4.5.1.dev439","v4.5.1.dev440","v4.5.1.dev441","v4.5.1.dev442","v4.5.1.dev443","v4.5.1.dev444","v4.5.1.dev445","v4.5.1.dev446","v4.5.1.dev447","v4.5.1.dev448","v4.5.1.dev449","v4.5.1.dev450","v4.5.1.dev451","v4.5.1.dev452","v4.5.1.dev453","v4.5.1.dev454","v4.5.1.dev455","v4.5.1.dev456","v4.5.1.dev457","v4.5.1.dev458","v4.5.1.dev459","v4.5.1.dev460","v4.5.1.dev461","v4.5.1.dev462","v4.5.1.dev463","v4.5.1.dev464","v4.5.1.dev465","v4.5.1.dev466","v4.5.1.dev467","v4.5.1.dev468","v4.5.1.dev469","v4.5.1.dev470","v4.5.1.dev471","v4.5.1.dev472","v4.5.1.dev473","v4.5.1.dev474","v4.5.1.dev475","v4.5.1.dev476","v4.5.1.dev477","v4.5.1.dev478","v4.5.1.dev479","v4.5.1.dev480","v4.5.1.dev481","v4.5.1.dev482","v4.5.1.dev483","v4.5.1.dev484","v4.5.1.dev485","v4.5.1.dev486","v4.5.1.dev487","v4.5.1.dev488","v4.5.1.dev489","v4.5.1.dev490","v4.5.1.dev491","v4.5.1.dev492","v4.5.1.dev493","v4.5.1.dev494","v4.5.1.dev495","v4.5.1.dev496","v4.5.1.dev497","v4.5.1.dev498","v4.5.1.dev499","v4.5.1.dev500","v4.5.1.dev501","v4.5.1.dev502","v4.5.1.dev503","v4.5.1.dev504","v4.5.1.dev505","v4.5.1.dev506","v4.5.1.dev507","v4.5.1.dev508","v4.6.0.dev0","v4.6.0.dev1","v4.6.0.dev10","v4.6.0.dev11","v4.6.0.dev2","v4.6.0.dev3","v4.6.0.dev4","v4.6.0.dev5","v4.6.0.dev6","v4.6.0.dev7","v4.6.0.dev8","v4.6.0.dev9","v4.6.1.dev0","v4.6.1.dev1","v4.6.1.dev10","v4.6.1.dev100","v4.6.1.dev101","v4.6.1.dev102","v4.6.1.dev103","v4.6.1.dev104","v4.6.1.dev105","v4.6.1.dev106","v4.6.1.dev107","v4.6.1.dev108","v4.6.1.dev109","v4.6.1.dev11","v4.6.1.dev110","v4.6.1.dev111","v4.6.1.dev112","v4.6.1.dev113","v4.6.1.dev114","v4.6.1.dev115","v4.6.1.dev116","v4.6.1.dev117","v4.6.1.dev119","v4.6.1.dev12","v4.6.1.dev120","v4.6.1.dev121","v4.6.1.dev122","v4.6.1.dev123","v4.6.1.dev124","v4.6.1.dev125","v4.6.1.dev126","v4.6.1.dev127","v4.6.1.dev128","v4.6.1.dev129","v4.6.1.dev13","v4.6.1.dev130","v4.6.1.dev131","v4.6.1.dev132","v4.6.1.dev133","v4.6.1.dev134","v4.6.1.dev135","v4.6.1.dev136","v4.6.1.dev137","v4.6.1.dev14","v4.6.1.dev15","v4.6.1.dev16","v4.6.1.dev17","v4.6.1.dev18","v4.6.1.dev19","v4.6.1.dev2","v4.6.1.dev20","v4.6.1.dev21","v4.6.1.dev22","v4.6.1.dev23","v4.6.1.dev24","v4.6.1.dev25","v4.6.1.dev26","v4.6.1.dev27","v4.6.1.dev28","v4.6.1.dev29","v4.6.1.dev3","v4.6.1.dev30","v4.6.1.dev31","v4.6.1.dev32","v4.6.1.dev33","v4.6.1.dev34","v4.6.1.dev35","v4.6.1.dev36","v4.6.1.dev37","v4.6.1.dev38","v4.6.1.dev39","v4.6.1.dev4","v4.6.1.dev40","v4.6.1.dev41","v4.6.1.dev42","v4.6.1.dev43","v4.6.1.dev44","v4.6.1.dev45","v4.6.1.dev46","v4.6.1.dev47","v4.6.1.dev48","v4.6.1.dev49","v4.6.1.dev5","v4.6.1.dev50","v4.6.1.dev51","v4.6.1.dev52","v4.6.1.dev53","v4.6.1.dev54","v4.6.1.dev55","v4.6.1.dev56","v4.6.1.dev57","v4.6.1.dev58","v4.6.1.dev59","v4.6.1.dev6","v4.6.1.dev60","v4.6.1.dev61","v4.6.1.dev62","v4.6.1.dev63","v4.6.1.dev64","v4.6.1.dev65","v4.6.1.dev66","v4.6.1.dev67","v4.6.1.dev68","v4.6.1.dev69","v4.6.1.dev7","v4.6.1.dev70","v4.6.1.dev71","v4.6.1.dev72","v4.6.1.dev73","v4.6.1.dev74","v4.6.1.dev75","v4.6.1.dev76","v4.6.1.dev77","v4.6.1.dev78","v4.6.1.dev79","v4.6.1.dev8","v4.6.1.dev80","v4.6.1.dev81","v4.6.1.dev82","v4.6.1.dev83","v4.6.1.dev84","v4.6.1.dev85","v4.6.1.dev86","v4.6.1.dev87","v4.6.1.dev88","v4.6.1.dev89","v4.6.1.dev9","v4.6.1.dev90","v4.6.1.dev91","v4.6.1.dev92","v4.6.1.dev93","v4.6.1.dev94","v4.6.1.dev95","v4.6.1.dev96","v4.6.1.dev97","v4.6.1.dev98","v4.6.1.dev99"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55013.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"}]}