CVE-2025-55013 is a critical security vulnerability classified as CWE-23 (Relative Path Traversal) affecting the Assemblyline 4 Service Client developed by CybercentreCanada. Assemblyline 4 is a malware analysis and threat detection framework that uses a client-server architecture where the Service Client fetches tasks and publishes results via an API. In versions prior to 4.6.1.dev138, the client component (specifically task_handler.py) improperly handles a SHA-256 hash value returned by the service server. Instead of validating or sanitizing this value, it is directly used as a local filename to store downloaded content. This creates a path traversal vulnerability because a malicious or compromised server—or any man-in-the-middle (MITM) attacker capable of communicating with the client—can supply a crafted payload such as '../../../etc/cron.d/evil'. This payload causes the client to write files outside the intended directory, potentially overwriting or creating arbitrary files anywhere on the filesystem where the client has write permissions. The vulnerability allows an attacker to compromise the integrity and availability of the affected system by injecting malicious files, potentially leading to remote code execution or persistent backdoors. The issue is fixed in version 4.6.1.dev138 by properly validating and sanitizing the filename input. The CVSS v3.1 base score is 10.0, indicating a critical severity with network attack vector, no privileges required, no user interaction, and a scope change. This means exploitation can be performed remotely without authentication, affecting multiple components or systems beyond the vulnerable client itself. No known exploits are currently reported in the wild, but the ease of exploitation and impact make this a high-risk vulnerability for users of Assemblyline 4 prior to the patched version.

For European organizations using Assemblyline 4 for malware analysis or threat detection, this vulnerability poses a significant risk. An attacker controlling or intercepting the communication with the Assemblyline server can cause the client to write arbitrary files on the host system, potentially leading to system compromise, persistent malware installation, or disruption of security operations. This undermines the integrity and availability of the security infrastructure, which is critical for incident response and threat intelligence. Given that Assemblyline is often deployed in security operations centers (SOCs) and research environments, exploitation could lead to lateral movement within networks, data breaches, or sabotage of detection capabilities. The critical CVSS score reflects the potential for widespread impact without requiring authentication or user interaction. European organizations relying on this tool must prioritize patching to maintain the confidentiality, integrity, and availability of their security environments.

1. Immediate upgrade of Assemblyline 4 Service Client to version 4.6.1.dev138 or later, which contains the fix for this path traversal vulnerability. 2. Implement strict network segmentation and firewall rules to restrict communication between the Assemblyline client and only trusted, authenticated servers to reduce the risk of MITM attacks. 3. Employ TLS with certificate validation for all client-server communications to prevent interception and tampering of API responses. 4. Monitor file system changes on hosts running the Assemblyline client for unexpected or unauthorized file writes, especially outside expected directories. 5. Conduct regular integrity checks and audits of the client environment to detect potential compromise. 6. If upgrading is not immediately possible, consider deploying host-based intrusion detection systems (HIDS) to alert on suspicious file creation or modification events. 7. Educate security teams about the risk and ensure incident response plans include detection and remediation steps for exploitation attempts related to this vulnerability.