Security researchers at Calif.io have disclosed a memory leak vulnerability in Squid Proxy that has existed since 1997. Tracked as CVE-2026-47729 and dubbed "Squidbleed," the flaw is similar to the Heartbleed vulnerability in OpenSSL.
The vulnerability resides in Squid's FTP parser, which reads beyond the boundary of a memory buffer into a region that may contain a previous user's uncleared HTTP request data. An attacker who controls an FTP server reachable from the proxy can silently siphon HTTP request data belonging to other users, potentially capturing authentication credentials, session tokens, and API keys.
Squidbleed poses the biggest risk in shared proxy environments, such as corporate networks, schools, and public Wi-Fi hotspots, where multiple users route traffic via the same Squid instance. The exposure is limited to cleartext HTTP traffic and deployments where Squid terminates TLS; standard HTTPS connections relayed as opaque CONNECT tunnels are not affected.
The vulnerability was discovered with the aid of Anthropic's Claude Mythos AI model. A patch was merged into Squid version 8 in April 2026 and shipped in version 7.6 in June 2026. If FTP support is not needed, disabling it entirely can mitigate the risk. |
发表于 
发表于