Critical Squid Flaw Allows Remote Code Execution & Data Leakage

A critical vulnerability has been discovered in the Squid proxy server, enabling remote execution of arbitrary code. The flaw affects nearly all actively used versions, and given the widespread deployment of Squid, millions of systems across the globe may be at risk.

Squid is a widely adopted HTTP proxy offering caching, load balancing, and access control capabilities. It serves as an intermediary between clients and web servers, storing frequently accessed resources to enhance performance and reduce network strain. It is extensively used in enterprise environments, by internet service providers, and within content delivery infrastructures.

The vulnerability, cataloged as CVE-2025-54574, stems from a buffer overflow during the handling of URN requests—unique resource identifiers intended to reference specific items. Improper buffer management while parsing these requests results in heap memory corruption, opening the door to unauthenticated remote code execution without any user interaction.

According to the CVSS v3 scoring system, the vulnerability has been assigned a severity score of 9.3 out of 10—a high-risk rating considering both the ease of exploitation and the potential impact.

The issue was first reported by a researcher operating under the alias StarryNight, while the patch was developed by the team at The Measurement Factory. As detailed in the advisory, the flaw can be exploited via low-complexity network connections, making it particularly dangerous for publicly exposed proxies and enterprise gateways.

The exploitation path involves processing Trivial-HTTP responses over the URN protocol, allowing a malicious server to send up to 4 kilobytes of Squid’s allocated memory back to the client. This could potentially lead to leakage of sensitive information, such as access keys, tokens, or other confidential data residing in memory at the time of the attack.

The vulnerability impacts virtually the entire modern Squid release range:

• All versions up to 6.4 are affected
• Series 4.x through 4.17
• All 5.x versions up to 5.9
• Series 6.x through 6.3

Installations running versions prior to 4.14 are considered especially vulnerable, as they were not rigorously assessed for this flaw.

Developers strongly recommend upgrading to version 6.4, which includes the necessary fix. For environments where immediate upgrading is not feasible, a temporary mitigation is available: disabling URN request handling at the configuration level. This can be achieved by adjusting access control lists (ACLs) to block URN scheme requests, thereby safeguarding the system until a full patch can be applied.

This incident highlights ongoing systemic security issues within core components of the internet’s infrastructure. Given Squid’s omnipresence in corporate networks, ISPs, caching layers, and traffic-filtering systems, swift remediation is critical to prevent potential breaches and the compromise of key network assets.