CVE-2025-55013: 
Python vulnerability analysis and mitigation

The Assemblyline 4 Service Client vulnerability (CVE-2025-55013) was discovered and disclosed on August 9, 2025. This vulnerability affects versions below 4.6.1.dev138 of the Assemblyline 4 Service Client, which interfaces with the API to fetch tasks and publish results for services in Assemblyline 4. The vulnerability stems from the client's improper handling of SHA-256 values returned by the service server (GitHub Advisory).

The vulnerability is a path traversal issue in the task_handler.py component where the client accepts a SHA-256 value returned by the service server and uses it directly as a local file name without proper validation or sanitization. The vulnerability has been assigned a CVSS v3.1 base score of 4.2 (Medium) with the vector string CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L, indicating adjacent network attack vector, high attack complexity, no privileges required, and no user interaction needed (AttackerKB).

A successful exploitation of this vulnerability could allow a malicious or compromised server (or any MITM that can speak to client) to return a path-traversal payload such as '../../../etc/cron.d/evil' and force the client to write downloaded bytes to an arbitrary location on disk. This could lead to arbitrary file writes, potential code execution, and system compromise (GitHub Advisory).

The vulnerability has been fixed in version 4.6.1.dev138 of the Assemblyline 4 Service Client. The fix includes implementing proper validation of SHA-256 values using regex pattern matching before using them as filenames. Organizations are advised to upgrade to the patched version. Additionally, it's recommended to run the client within a containerized environment such as assemblyline-v4-service to ensure filesystem-level permissions and proper network policies (GitHub Advisory).