Critical Squid Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability in the widely-used Squid proxy server has been discovered that could allow attackers to execute remote code and access sensitive system memory.

The vulnerability, tracked as CVE-2025-54574 and designated SQUID-2025:1, affects all Squid versions up to 6.3 and poses significant risks to organizations worldwide relying on the popular caching proxy for web traffic management.

The vulnerability stems from incorrect buffer management in Squid’s handling of Uniform Resource Names (URNs), creating a heap buffer overflow condition that security researchers have classified as critical with a CVSS score of 9.3.

When processing URN requests, the proxy server fails to properly validate memory allocation, allowing remote attackers to trigger a buffer overflow by sending specially crafted URN Trivial-HTTP responses.

The vulnerability enables attackers to potentially execute arbitrary code remotely without requiring authentication or user interaction, making it particularly dangerous for internet-facing proxy deployments.

According to the official advisory, the vulnerability can also cause Squid to leak up to 4KB of allocated heap memory to clients, potentially exposing security credentials, session tokens, or other confidential data stored in the proxy’s memory space.

The vulnerability was discovered by a security researcher known as StarryNight and subsequently fixed by The Measurement Factory, the organization responsible for Squid’s development and maintenance.

The discovery highlights the ongoing security challenges faced by critical internet infrastructure components that handle vast amounts of web traffic daily.

Squid Vulnerability

The vulnerability affects an extensive range of Squid installations across different version branches, making it one of the most significant security issues to impact the proxy server in recent years.

All Squid 4.x versions up to and including 4.17 are vulnerable, along with all 5.x versions through 5.9 and 6.x versions up to 6.3.

Additionally, older Squid versions prior to 4.14 are presumed vulnerable, though they have not been specifically tested.

Given Squid’s widespread deployment in enterprise environments, internet service providers, and academic institutions, the vulnerability potentially affects millions of proxy installations worldwide.

The proxy server is commonly used to cache web content, improve network performance, and provide access control, making it a critical component in many organizations’ network infrastructure.

The vulnerability is particularly concerning because Squid proxies are often deployed as internet-facing services, directly accessible to potential attackers.

This exposure, combined with the high severity of the vulnerability and the lack of authentication requirements for exploitation, creates a significant attack surface that threat actors could leverage to compromise network infrastructure.

Mitigations

The Squid development team has released version 6.4 as a complete fix for the vulnerability, and organizations are strongly urged to upgrade immediately.

For environments where immediate upgrading is not feasible, administrators can implement a temporary workaround by disabling URN access permissions through Squid’s configuration.

This involves adding the access control rules “acl URN proto URN” followed by “http_access deny URN” to block URN requests entirely.

Patches for stable release branches are also available through the Squid project’s patch archives, with the specific fix identified as commit a27bf4b for version 6.

Organizations using prepackaged versions of Squid should contact their distribution vendors for updated packages and deployment guidance.

Security experts recommend that organizations prioritize this vulnerability in their patching schedules due to the combination of its critical severity rating, wide attack surface, and potential for remote code execution.

The vulnerability’s publication comes with detailed technical information that could enable rapid development of exploitation tools, making prompt remediation essential for maintaining network security.

The incident serves as a reminder of the importance of maintaining current security patches for critical network infrastructure components, particularly those that handle internet traffic and are exposed to potential attackers from across the globe.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.