Skip to content

Arbitrary Write through path traversal in Client code

Critical
cccs-rs published GHSA-75jv-vfxf-3865 Jul 25, 2025

Package

Assemblyline's client (Client)

Affected versions

<4.6.1.dev138,<4.6.0.stable11

Patched versions

4.6.1.dev138+

Description

Path-Traversal -> Arbitrary File Write in Assemblyline Service Client

1. Summary

The Assemblyline 4 service client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.

No validation / sanitisation is performed.

A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as
../../../etc/cron.d/evil
and force the client to write the downloaded bytes to an arbitrary location on disk.

2. Affected Versions

Item Value
Component assemblyline-service-client
Repository CybercentreCanada/assemblyline-service-client
Affected All releases up to master branch.

3. CVSS 3.1 Vector & Score

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

4. Technical Details

Field Content
Location assemblyline_service_client/task_handler.py, inside download_file()
Vulnerable Line file_path = os.path.join(self.tasking_dir, sha256)
Root Cause The sha256 string is taken directly from the service-server JSON response and used as a file name without any validation or sanitisation.
Exploit Flow 1. Attacker (service server) returns HTTP 200 for GET /api/v1/file/../../../etc/cron.d/evil.
2. Client writes the response body to /etc/cron.d/evil.
3. Achieves arbitrary file write (code execution if file is executable).

5. Impact

  • Integrity – Overwrite any file writable by the service UID (often root).
  • Availability – Corrupt critical files or exhaust disk space.
  • Code Execution – Drop cron jobs, systemd units, or overwrite binaries.

6. Mitigation / Fix

import re

_SHA256_RE = re.compile(r'^[0-9a-fA-F]{64}\Z')

def download_file(self, sha256: str, sid: str) -> Optional[str]:
    if not _SHA256_RE.fullmatch(sha256):
        self.log.error(f"[{sid}] Invalid SHA256: {sha256}")
        self.status = STATUSES.ERROR_FOUND
        return None
    # or your preferred way to check if a string is a shasum.

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

CVE ID

No known CVE

Weaknesses

Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory. Learn more on MITRE.

Credits