CybersecurityVulnerability Management

Squid Proxy Bug Exposes Cleartext HTTP Requests

Analyst 207||Source: TheHackerNews
Technicians work in a dimly lit server room with rows of racked equipment.

The bug traces to a 1997 FTP-parsing change and is still live in Squid's default configuration.

What Squidbleed is and who disclosed it

Calif.io researchers disclosed a heap over-read in the Squid web proxy in June and named the flaw Squidbleed (CVE-2026-47729). The vulnerability allows an attacker who already has permission to use the same proxy to receive chunks of another user's cleartext HTTP request—including headers such as Authorization that can carry credentials or session tokens.

How the FtpGateway.cc parser turns a short FTP line into leaked memory

The defect sits in Squid's FTP directory-listing parser. To handle old NetWare listings, the code uses a loop that skips whitespace: while (strchr(w_space, *copyFrom)) ++copyFrom;. If an FTP server controlled by an attacker sends a listing line that ends immediately after the timestamp with no filename, the loop can walk past the string terminator because strchr will return a pointer rather than NULL for the NUL byte. The loop runs off the buffer and xstrdup then copies whatever adjacent memory contains back to the attacker as a filename.

Squid reuses freed buffers without zeroing them. A 4KB buffer that recently contained a victim's HTTP request can still hold most of that request; a short FTP line overwrites only the first few bytes, and the over-read returns the remainder. Calif.io's demonstration pulls an Authorization header from a co-proxy user—enough to act as that user. Proof-of-concept code has been published, and no in-the-wild exploitation had been reported as of this writing.

Scope, prerequisites, and real-world constraints

Squid and the researchers stress this is an attack by a trusted client: the attacker must already be permitted to send traffic through the same proxy. That maps to Squid's common deployments on shared networks such as schools, offices, and public Wi‑Fi. The leak affects only traffic the proxy can read: cleartext HTTP and any TLS-terminating setups where Squid decrypts and inspects traffic. Normal HTTPS tunneled with CONNECT remains opaque to Squid and is not exposed by this bug.

The attacker must also make the proxy connect to an FTP server they control on port 21; both FTP and port 21 are enabled by default in Squid builds. SUSE rates the vulnerability moderate with a CVSS score of 6.5, reflecting the low privilege needed (proxy access) and the confined impact—confidentiality only, not integrity or availability.

Patch status, distribution quirks, and short-term mitigation

The fix is small: a null-terminator check inserted before the vulnerable strchr calls. That change was merged to Squid's development branch in April and to v7 in May. Squid's public thread has been inconsistent: maintainer Amos Jeffries first said Squid 7.6 carried the fix, then corrected that to 7.7; on June 22 Debian's Salvatore Bonaccorso noted the referenced commit looks like it is already in 7.6. Administrators who patch are advised to verify the presence of the guard in FtpGateway.cc rather than relying solely on reported version numbers, and to check their distribution's backport because distros ship their own builds (Debian packages Squid 5.7).

Calif.io recommends the cleaner operational move: turn FTP off. Chromium dropped FTP years ago, most networks carry almost none of it, and disabling FTP removes the attack surface regardless of Squid build.

What this means for technologists, network administrators, and end users

  • Technologists and security teams: Verify that the specific null-terminator check exists in FtpGateway.cc in your deployed build or that your distribution's backport includes the change; do not rely solely on version strings. Consider scanning for co-resident proxy users and monitor for any unexpected FTP activity to port 21.
  • Network administrators and procurement leaders: Evaluate turning FTP off across proxies and edge devices. Because distros ship different builds (for example, Debian's Squid 5.7 packages), confirm vendor-supplied fixes are present and tested in your environment before declaring systems remediated.
  • End users and the general public: On shared networks where proxies decrypt or inspect traffic, favor HTTPS that uses CONNECT tunnels and avoid sending credentials over cleartext HTTP. If you must use services that require credentials, assume a shared-proxy environment could expose them until your network operator confirms mitigation.

Calif.io also credited Anthropic's Claude Mythos Preview—the model behind Project Glasswing—with quickly catching the strchr quirk, and noted this is the same class of buried parser bug AI agents have surfaced elsewhere, including in FFmpeg. Calif.io hinted Squid's FTP code may not be the last place this kind of over-read was overlooked.

For now, the most actionable steps are concrete: either confirm the null-terminator guard is present in your deployed FtpGateway.cc, or simply disable FTP and close port 21 on proxies. That combination removes the most practical exploitation path and buys time to validate vendor fixes across distributions.

Source: https://thehackernews.com/2026/06/29-year-old-squid-proxy-bug-squidbleed.html

Emerging ThreatsSquid ProxyCVE-2026-47729SquidbleedHTTP Request ExposureProxy VulnerabilityCleartext ExposureFTP Parsing BugHeap Over-read
Related Intelligence

Continue Reading

Smartphone on a neutral surface with blurred screen, set against a cityscape background.

Google Tightens Android App Verification Rules Ahead of Sept. 30 Deadline

Get ready for a safer app experience on Android! As of September 30, 2026, Google will start enforcing developer verification, blocking installs of unverified apps on certified phones in Brazil, Indonesia, Singapore, and Thailand.

Analyst 207
Close-up of a circuit board with a USB controller chip on a lab bench.

Unpatchable Apple BootROM Flaw Targets A12, A13 Chips

A newly discovered Apple BootROM flaw affecting A12 and A13 chips poses a lifelong security risk to affected devices, as the issue is embedded in unchangeable code that can't be fixed with a simple software update. This vulnerability, known as usbliter8, is a complex combination of hardware and firmware flaws that creates a pathway to compromise the boot chain on impacted Apple systems.

Analyst 207
Dimly lit server room with outdated equipment and exposed cables.

Legacy Infrastructure Exposes AI Agents to Hijacking Risks

Legacy infrastructure can put your AI agents at risk of hijacking, as seen with CVE-2025-24813, a remote code execution flaw that lets attackers turn a routine server compromise into a full takeover. An unpatched Internet-facing Apache Tomcat server is all it takes to expose your enterprise to this threat.

Analyst 207
Healthcare worker sits at desk, looking concerned, with computer screen displaying email inbox.

Healthcare Organization Backpedals on Phishing Test Targeting Staff Burnout

Newfoundland and Labrador Health Services is hitting the brakes on a well-intentioned but misguided phishing test that left staff feeling frustrated and burnt out. The healthcare organization has apologized and pledged to review its approach after sending employees a fake email offering an extra paid day off.

Analyst 207