CVE-2025-54574

Name of the Vulnerable Software and Affected Versions Squid versions 6.3 and earlier Squid versions prior to 6.4 Squid versions 5.7-2+deb12u3 (Debian bookworm)

Description Squid, a high-performance proxy caching server, is affected by multiple issues. A critical heap-based buffer overflow exists in versions 6.3 and below when processing Uniform Resource Names (URNs), potentially allowing for remote code execution (RCE) and information leakage. Specifically, the vulnerability occurs due to incorrect buffer management during the handling of Trivial-HTTP responses with crafted URNs. Successful exploitation could allow an attacker to execute arbitrary code or leak up to 4KB of heap memory, potentially including sensitive information like session tokens and keys. Additionally, a denial-of-service (DoS) issue exists against HTTP and HTTPS. Approximately 100,000 instances of the vulnerable software are estimated to be present in the Russian internet space, with over 27% potentially affected.

Recommendations Squid versions 6.3 and earlier: Upgrade to version 6.4 or later. As a temporary measure, disable URN access by adding the following to the configuration:

acl URN proto URN
http access deny URN

Squid version 5.7-2+deb12u3 (Debian bookworm): Upgrade to version 5.7-2+deb12u3.