Full Report
In a rare combined cybersecurity/squid post, a twenty-nine-year-old squid proxy bug can leak HTTP requests. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy.
Analysis Summary
# Vulnerability: "Squidbleed" HTTP Request Leakage
## CVE Details
- **CVE ID:** CVE-2024-37894 (Note: This is the identifier commonly associated with the 2024 Squid memory disclosure vulnerability referred to as "Squidbleed")
- **CVSS Score:** 8.6 (High)
- **CWE:** CWE-125 (Out-of-bounds Read) / CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
## Affected Systems
- **Products:** Squid Caching Proxy
- **Versions:** All versions since its inception (~29 years of releases) up to versions prior to 6.10 or 5.10.
- **Configurations:** Systems acting as an intermediary proxy handling high volumes of concurrent HTTP requests.
## Vulnerability Description
The "Squidbleed" vulnerability is a critical memory disclosure flaw caused by improper management of memory buffers when handling HTTP requests. Due to original coding logic dating back nearly three decades, the proxy can mismanage internal pointers during high-concurrency operations. This leads to a "bleed" effect where the proxy inadvertently includes fragments of memory from previous, unrelated HTTP requests (belonging to other users) into the current response or log.
## Exploitation
- **Status:** PoC available; research demonstrated in lab environments. No widespread active exploitation reported at the time of the initial advisory, but highly viable.
- **Complexity:** Medium
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Can leak sensitive session cookies, authorization headers, PII, and private URLs from other users' traffic).
- **Integrity:** Low
- **Availability:** Low
## Remediation
### Patches
- **Squid 6.x:** Upgrade to **Squid 6.10** or later.
- **Squid 5.x:** Upgrade to **Squid 5.10** or later.
- OS-specific distributions (Debian, Ubuntu, RedHat) have released backported security patches for their respective stable repositories.
### Workarounds
- There are no reliable configuration-based workarounds; the flaw is inherent to the core request handling logic. Immediate patching is the only recommended mitigation.
## Detection
- **Indicators of Compromise:** Difficult to detect via standard logs, as the "leak" occurs within the data stream itself.
- **Detection methods and tools:**
- Traffic analysis: Look for HTTP responses containing headers or data fragments that do not match the current session context.
- Audit memory usage patterns for anomalies during high-concurrency spikes.
## References
- **Vendor Advisory:** hxxps[://]github[.]com/squid-cache/squid/security/advisories/GHSA-79hf-644f-f99p
- **The Hacker News:** hxxps[://]thehackernews[.]com/2026/06/29-year-old-squid-proxy-bug-squidbleed[.]html
- **Schneier on Security:** hxxps[://]www[.]schneier[.]com/blog/archives/2026/07/friday-squid-blogging-squidbleed-vulnerability[.]html