10

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-75jv-vfxf-3865

EPSS Score

CWE

CWE-23

Published

7/25/2025

Updated

7/25/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-75jv-vfxf-3865

GHSA-75jv-vfxf-3865: Assemblyline 4 service client vulnerable to Arbitrary Write through path traversal in Client code

Path-Traversal -> Arbitrary File Write in Assemblyline Service Client

1. Summary

The Assemblyline 4 service client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.

No validation / sanitisation is performed.

A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as
../../../etc/cron.d/evil
and force the client to write the downloaded bytes to an arbitrary location on disk.

2. Affected Versions

| Item | Value | |---|---| | Component | assemblyline-service-client | | Repository | CybercentreCanada/assemblyline-service-client | | Affected | All releases up to master branch. |

4. Technical Details

| Field | Content | |---|---| | Location | assemblyline_service_client/task_handler.py, inside download_file() | | Vulnerable Line | file_path = os.path.join(self.tasking_dir, sha256) | | Root Cause | The sha256 string is taken directly from the service-server JSON response and used as a file name without any validation or sanitisation. | | Exploit Flow | 1. Attacker (service server) returns HTTP 200 for GET /api/v1/file/../../../etc/cron.d/evil.<br>2. Client writes the response body to /etc/cron.d/evil.<br>3. Achieves arbitrary file write (code execution if file is executable). |

5. Impact

Integrity – Overwrite any file writable by the service UID (often root).

Miggo Vulnerability Database

→

GHSA-75jv-vfxf-3865

GHSA-75jv-vfxf-3865:

10

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-75jv-vfxf-3865

EPSS Score

CWE

CWE-23

Published

7/25/2025

Updated

7/25/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
assemblyline-service-client	pip	< 4.6.0.stable11	4.6.0.stable11
assemblyline-service-client	pip	>= 4.6.1.dev0, < 4.6.1.dev138	4.6.1.dev138

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the assemblyline-service-client library, specifically within the download_file method of the TaskHandler class. The root cause is the lack of input validation on the sha256 parameter, which is received from a service server. A malicious or compromised server can send a path traversal string (e.g., ../../../tmp/pwned) instead of a valid SHA256 hash. The client code then concatenates this malicious string with a base directory and attempts to write a file to that location. This allows an attacker to write arbitrary files to any location on the filesystem where the user running the service client has write permissions. The provided patch confirms this by adding a regular expression check to validate the format of the sha256 string, ensuring it is a legitimate hash before it is used to construct a file path. The identified function TaskHandler.download_file is the exact location where the vulnerable code exists and where the fix was applied.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

10

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-75jv-vfxf-3865: Assemblyline 4 service client vulnerable to Arbitrary Write through path traversal in Client code

1. Summary

2. Affected Versions

4. Technical Details

5. Impact

GHSA-75jv-vfxf-3865:

10

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

10

10

GHSA-75jv-vfxf-3865: Assemblyline 4 service client vulnerable to Arbitrary Write through path traversal in Client code

1. Summary

2. Affected Versions

4. Technical Details

5. Impact

6. Mitigation / Fix

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI