Critical Squid Vulnerability (CVE-2025-54574) Allows Remote Code Execution & Data Leakage
Ddos 
The Squid Project has issued an urgent advisory for CVE-2025-54574 (CVSS 9.3), a heap buffer overflow bug affecting Squid’s handling of URN (Uniform Resource Name) responses.
“Due to incorrect buffer management, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN,” the Squid advisory states.
This high-severity flaw resides in Squid’s handling of Uniform Resource Names (URNs). Specifically, when Squid receives a Trivial-HTTP response containing a URN, it mishandles memory allocation, leading to a heap buffer overflow. This not only creates a path for attackers to inject malicious code remotely, but also causes Squid to unintentionally leak up to 4KB of heap memory back to the client.
“Revealed memory may include security credentials or other confidential data,” warns the advisory.
This kind of vulnerability is particularly dangerous in enterprise and service provider environments where Squid is widely used to cache and filter HTTP, HTTPS, and FTP traffic.
Heap buffer overflows are among the most exploitable vulnerabilities in modern software, and their implications are serious. Beyond the possibility of remote code execution, this specific flaw opens the door to information leakage—possibly exposing authentication credentials, session tokens, or private configuration data.
Given Squid’s deep integration into critical infrastructure—ranging from corporate proxies to government content filters—CVE-2025-54574 poses an outsized risk.
The vulnerability impacts a broad range of Squid versions:
- Squid-4.x: All versions up to and including 4.17
- Squid-5.x: All versions up to and including 5.9
- Squid-6.x: All versions up to and including 6.3
“Squid older than 4.14 have not been tested and should be assumed to be vulnerable,” the advisory notes.
The vulnerability has been fully patched in Squid version 6.4, and backported patches for earlier branches are available via the Squid project’s GitHub repository.
The Squid team strongly recommends updating to the latest release, but if immediate patching isn’t feasible, a temporary workaround is available. Administrators can disable URN access permissions entirely by adding the following ACL rule to their Squid configuration:
This rule prevents Squid from accepting URN-based requests, thereby blocking the vulnerable code path.
Donate