How to fix CVE-2025-55013?

During next maintenance window: Identify affected systems running Assemblyline 4. In and apply vendor patches when convenient. Monitor vendor channels for patch availability.

Is Assemblyline affected by CVE-2025-55013?

Organizations using Assemblyline 4. In should be aware of moderate risk from CVE-2025-55013 rated CVSS 4.2. Exploitation could compromise the security of affected deployments. Organizations should apply vendor updates when available and monitor for exploitation.

Assemblyline CVE-2025-55013

MEDIUM

Relative Path Traversal (CWE-23)

2025-08-09 [email protected]

Information Disclosure

4.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 28, 2026 - 19:06 vuln.today

CVE Published

Aug 09, 2025 - 03:15 nvd

MEDIUM 4.2

DescriptionNVD

The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. In versions below 4.6.1.dev138, the Assemblyline 4 Service Client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as ../../../etc/cron.d/evil and force the client to write the downloaded bytes to an arbitrary location on disk. This is fixed in version 4.6.1.dev138.

AnalysisAI

The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. Rated medium severity (CVSS 4.2), this vulnerability is no authentication required. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-23. The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. In versions below 4.6.1.dev138, the Assemblyline 4 Service Client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as ../../../etc/cron.d/evil and force the client to write the downloaded bytes to an arbitrary location on disk. This is fixed in version 4.6.1.dev138. Version information: version 4.6.1..

Affected ProductsAI

See vendor advisory for affected versions.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2025-55013 vulnerability details – vuln.today

Back

Assemblyline CVE-2025-55013

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code