A security flaw in the Squid web proxy, known as ‘Squidbleed’ (CVE-2026-47729), has been identified, which can potentially expose cleartext HTTP requests. This vulnerability, found by Calif.io researchers, stems from a change made in 1997 concerning FTP parsing, and continues to exist in Squid’s default settings.
Understanding the Squidbleed Vulnerability
Squidbleed is a type of attack that can be executed by a trusted client, essentially someone already authorized to use the proxy. This aligns with Squid’s common use in environments like schools, offices, and public Wi-Fi networks, where multiple users share the same proxy server. The vulnerability allows an attacker to access another user’s HTTP request, including sensitive information like credentials and session tokens.
The flaw affects only traffic that can be read by Squid. While HTTPS traffic remains secure due to its encrypted nature, cleartext HTTP traffic and certain TLS terminating configurations, where Squid handles decryption, are vulnerable.
Technical Details of the Exploit
The issue lies within Squid’s FTP directory-listing parser. Originally designed to handle old NetWare server listings padded with whitespace, the parser skips spaces using the code: while (strchr(w_space, *copyFrom)) ++copyFrom;. If an FTP server under an attacker’s control sends a specific listing line, the parser can overread memory, leaking data as filenames.
This overread occurs because the parser misinterprets the null terminator, leading to unintended memory access. Squid’s memory handling, which doesn’t clear freed buffers, allows previously stored HTTP requests to be partially leaked to attackers.
Mitigation Strategies
To mitigate Squidbleed, it’s crucial to verify any patches and ensure they are applied correctly. Specifically, the fix involves a null-terminator check before the vulnerable strchr calls, which was introduced in Squid’s development branch earlier this year.
Disabling FTP support in Squid is a recommended measure since FTP usage is largely obsolete. This action effectively removes the attack vector. Additionally, ensuring that your Squid version includes the latest patches can prevent exploitation of this vulnerability.
Implications and Recommendations
The risk posed by Squidbleed is considered moderate, with a CVSS rating of 6.5. Although it primarily threatens data confidentiality, it requires the attacker to have access to the proxy, thus limiting its scope.
Researchers suggest that similar vulnerabilities could exist in other software, highlighting the need for continued vigilance and regular updates. Calif.io credits AI advancements for rapidly identifying such hidden vulnerabilities, suggesting that AI-driven analysis could be crucial in future cybersecurity defenses.
