Introduction
A single malformed HTTP response can crash or compromise a Squid proxy, disrupting web access for thousands or exposing sensitive data. CVE-2025-54574 highlights a critical flaw in Squid's URN processing, affecting all deployments running version 6.3 or earlier. Squid is a foundational open source proxy and caching solution, widely used by enterprises, ISPs, and universities to optimize and secure web traffic. Its global footprint means vulnerabilities like this have far-reaching operational and security consequences.
Technical Information
CVE-2025-54574 is a heap buffer overflow vulnerability in Squid's handling of Uniform Resource Names (URNs). The flaw is present in all Squid versions up to and including 6.3. The vulnerability arises from improper buffer management during the processing of Trivial-HTTP responses associated with URN requests. Specifically, when Squid processes a URN, it may read partial HTTP headers from disk without adequate bounds checking, leading to the possibility of writing beyond allocated heap memory.
Attackers can exploit this by crafting HTTP responses with oversized headers. When such a response is processed, Squid's internal routines (notably storeClientCopy()) may mishandle buffer boundaries, resulting in heap memory corruption. This can lead to denial of service, information disclosure (up to 4KB of heap memory), or remote code execution if the attacker can control the overflow data.
The patch for this issue (commit a27bf4b84da23594150c7a86a23435df0b35b988) corrects buffer management in the affected code paths, ensuring that serialized HTTP response header bytes are not improperly sent or exposed.
Proof of Concept
In the context of Squid's vulnerability addressed by commit a27bf4b84da23594150c7a86a23435df0b35b988, a Proof-of-Concept (PoC) exploit would involve crafting HTTP responses with oversized headers. By sending such responses to a Squid proxy, an attacker could trigger the proxy to read partial HTTP headers from disk, leading to parsing failures. This could result in denial of service or other unintended behaviors. The commit in question modifies the storeClientCopy() function to prevent sending serialized HTTP response header bytes, thereby mitigating this issue.
Reference: Squid Commit a27bf4b
Patch Information
The Squid development team has addressed a critical buffer overflow vulnerability in the handling of Uniform Resource Names (URNs) by releasing version 6.4. This flaw, present in versions prior to 6.4, could potentially allow remote servers to execute arbitrary code by exploiting improper buffer management during URN processing.
The patch rectifies the issue by implementing correct buffer management practices, thereby preventing the possibility of a heap buffer overflow. This ensures that when Squid processes URN Trivial-HTTP responses, it no longer risks exposing up to 4KB of allocated heap memory to clients—a scenario that could have led to the disclosure of sensitive information, including security credentials.
For users operating on stable releases, the Squid team has provided specific patches to address this vulnerability:
- Squid 6: Patch available at commit a27bf4b.
It's crucial for administrators to apply these patches promptly to mitigate the risk associated with this vulnerability. If you're utilizing a prepackaged version of Squid, please consult your package vendor for information regarding the availability of updated packages.
To determine if your version is vulnerable, note that all Squid versions up to and including 6.3 are affected. Upgrading to version 6.4 or applying the relevant patches will secure your system against this issue.
Reference: Squid Security Advisory GHSA-w4gv-vw3f-29g3
Affected Systems and Versions
- Squid Proxy versions up to and including 6.3 are affected
- Vulnerable in default configurations where URN processing is enabled
- Fixed in version 6.4
Vendor Security History
Squid has previously addressed URN-related vulnerabilities, such as SQUID-2021:1 (CVE-2021-28651), which also involved parsing issues in URN handling. The project maintains a consistent record of releasing advisories and patches for critical vulnerabilities. The response to CVE-2025-54574 was prompt, with a new release and detailed guidance provided shortly after discovery.
