X-twitter Facebook-f Pinterest-p
X-twitter Facebook-f Pinterest-p

29-Year-Old Squid Bug Leaks User Credentials


Squidbleed: 29-Year-Old Squid Bug Leaks User Credentials

Pierluigi Paganini
June 23, 2026

Squidbleed is a 29-year-old Squid Proxy flaw that can leak credentials, tokens, and other users’ HTTP data through a memory overread.

Researchers at Calif.io have disclosed CVE-2026-47729, a memory leak vulnerability in Squid Proxy that was introduced in 1997 and has remained undetected through nearly three decades of releases, audits, and rewrites. They named it Squidbleed because it works like Heartbleed: it causes the proxy to read past the end of a memory buffer and hand the contents to whoever asked.

“The bug occurs when no filename is provided after the modification timestamp.” reads the report published by the researchers. “Here’s such an example:

d [R----F--] supervisor            512       Jan 16 18:53

In that case, *copyFrom is the null terminator at the end of the string.

However, instead of returning NULL and breaking out of the loop, strchr returns a pointer to the null terminator, as it is considered part of the string. This causes ++copyFrom to be executed and the cycle repeats until a non-null, non-whitespace byte is reached.

The pointer then walks forward past the buffer boundary until it hits a non-null, non-whitespace byte, and whatever it finds there gets sent back to the attacker as a filename. The fix is two characters: check that *copyFrom isn’t null before calling the function strchr. One line of C, twenty-nine years of exposure.

The bug resides in Squid’s FTP directory listing parser, specifically in code written to handle NetWare FTP servers, which used four spaces between the timestamp and filename instead of one.

“The data starting from that byte, possibly belonging to another Squid Proxy user, is then returned to the attacker as the name of a file in the directory listing.” continues the report. “Since FTP support is enabled out of the box, and port 21 is included in the default Safe_ports ACL, no special flags or non-default settings are needed. The attacker only needs to control an FTP server reachable from the proxy.”

Squid is common in multi-user environments, corporate networks, schools, public Wi-Fi, and the researchers even spotted it running on an in-flight Wi-Fi system, on a version released nearly a decade ago.

What actually leaks is the contents of other users’ HTTP requests. Squid manages memory through per-size recycled buffer pools and doesn’t zero them when they’re freed.

“The line buffer used to parse FTP listings is allocated from MEM_4K_BUF. If that buffer previously held a victim’s HTTP request, only the first few dozen bytes are overwritten by the short FTP line — the rest of the 4KB buffer still contains the victim’s stale data.” states the report. “The strchr overread walks right past the null terminator and sends it all to the attacker.”

The researchers demonstrated it by leaking an Authorization header from a login page. Credentials, session tokens, API keys — anything that travels in a cleartext HTTP request through the shared proxy is in scope.

The exposure is limited. The researchers pointed out that standard HTTPS connections routed as opaque CONNECT tunnels aren’t affected, and the attacker needs to reach an FTP server from the proxy. But in corporate and legacy environments, sensitive data in cleartext HTTP isn’t unusual.

The researchers confirmed that they used Claude Mythos Preview to find the bug. When pointed at Squid’s FTP state machine, it identified the strchr null terminator behavior almost immediately, citing the exact C11 standard clause that makes strchr(w_space, '\0') return non-null. Few human reviewers would catch that. It also recently found a high-severity OpenSSL vulnerability and the HTTP/2 Bomb denial-of-service technique, both through the same AI-assisted approach.

A patch was merged into Squid version 8 in April 2026 and shipped in version 7.6 in June 2026. If you can’t patch immediately, disabling FTP support removes the attack surface entirely. Chrome dropped FTP years ago, and most organizations running Squid are getting close to zero legitimate FTP traffic, turning it off costs nothing. FTP parsing might not be the only place where Squid forgot to stop reading.

“The dangers of raw memory access in C are well understood, but the subtleties of standard library functions like strchr are easier to overlook. Few developers would guess that searching for '\0' succeeds, which may explain how a one-line bug survived close to 30 years of code review.” concludes the report. “Claude Mythos Preview, having trained on the entire C standard reference, treats this quirk as just another fact. When pointed at the right code, it spotted the bug almost immediately.”

Below is a video PoC of the attack along with PoCs.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, TPWD)





Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Prime Day 2026 Apple Deals Start at $14, Save on Mac, iPad

ShapedPlugin Supply Chain Attack Backdoors Pro Plugin Updates

29-Year-Old Squid Bug Leaks User Credentials

WhatsApp Malware Campaign Hijacks Trust, Installs Legitimate Admin Tools

Welcome to the Future of WordPress with Gutenberg – Small Biz Talks

ShapedPlugin Supply Chain Attack Backdoors Pro Plugin Updates

29-Year-Old Squid Bug Leaks User Credentials

WhatsApp Malware Campaign Hijacks Trust, Installs Legitimate Admin Tools

Run Google’s Gemini LLMs right on your Mac with AI Edge Gallery

ShapedPlugin Supply Chain Attack Backdoors Pro Plugin Updates

29-Year-Old Squid Bug Leaks User Credentials

WhatsApp Malware Campaign Hijacks Trust, Installs Legitimate Admin Tools

Recent Reviews

Welcome to the Future of WordPress with Gutenberg – Small Biz Talks


Malesuada fames ac turpis egestas integer. Quam nulla porttitor massa id neque aliquam vestibulum morbi blandit. Commodo sed egestas egestas fringilla phasellus faucibus scelerisque. Turpis massa tincidunt dui ut ornare lectus sit amet. Ut consequat semper viverra nam libero justo laoreet sit. Ultrices dui sapien eget mi. At augue eget arcu dictum varius duis at consectetur lorem. Magnis dis parturient montes nascetur ridiculus.

Pharetra pharetra massa massa ultricies mi quis hendrerit. Odio ut sem nulla pharetra diam sit amet. Magnis dis parturient montes nascetur ridiculus. Ac turpis egestas integer eget aliquet nibh praesent tristique. Quis vel eros donec ac odio tempor orci.

Only a quarter of young adults are financially literate. You don’t want to overwhelm them with terrible advice.

Michael Clarck

Eos modus intellegam id. Quo in tollit consectetuer, duo tollit assueverit te. Tale debet et eos. Ei recusabo expetendis per, falli nonumes in vix. Per no latine appellantur, te has amet sint nominavi, albucius suscipit voluptatum has at.

Has epicuri accusamus intellegebat ad, no qui dicat laoreet scribentur, cum natum salutatus cu. Ne quem suas recusabo nam. Cum at dicunt oblique.

Discere veritus detraxit pri ut, sea ei dicunt theophrastus. Eum harum animal debitis cu, viderer vituperatoribus mei ea. Id sed illud facete singulis, reque dolore mediocrem vim ei. Has epicuri accusamus intellegebat ad, no qui dicat laoreet scribentur, cum natum salutatus cu. Ne quem suas recusabo nam. Cum at dicunt oblique. Discere veritus detraxit pri ut, sea ei dicunt theophrastus. Eum harum animal debitis cu, viderer vituperatoribus mei ea. Id sed illud facete singulis, reque dolore mediocrem vim ei.

Gallery Block

Facilisi morbi tempus iaculis urna id volutpat lacus. Magnis dis parturient montes nascetur ridiculus mus mauris vitae ultricies.

Elit duis tristique sollicitudin nibh sit amet commodo nulla. Eget velit aliquet sagittis id consectetur. Elit sed vulputate mi sit amet mauris commodo quis. Eu feugiat pretium nibh ipsum consequat nisl vel pretium lectus. Hac habitasse platea dictumst vestibulum rhoncus est pellentesque elit ullamcorper.

List Block

  • Magna sit amet purus gravida quis
  • Sapien eget mi proin sed libero
  • Commodo odio aenean sed
  • Consectetur a erat nam at lectus
  • Diam volutpat commodo
  • Scelerisque varius morbi amet
  • Non enim praesent elementum
  1. Commodo odio aenean sed
  2. Nulla facilisi etiam dignissim
  3. Aenean et tortor at risus
  4. Cursus turpis massa tincidunt dui
  5. Dolor morbi non arcu risus
  6. Mi eget mauris pharetra et ultrices
  7. Amet nulla facilisi morbi tempus

Columns Block

Cu mea solum dicam, pri no hendrerit instructior, dicunt accommodare cu ius. Nec et ridens viderer, te assum nostro mollis est. Prima omittantur mel cu.

Cu mea solum dicam, pri no hendrerit instructior, dicunt accommodare cu ius. Nec et ridens viderer, te assum nostro mollis est. Prima omittantur mel cu.

Has wisi placerat legendos in, eius lorem consequat in cum eruditi facilis facer.

Has wisi placerat legendos in, eius lorem consequat in cum eruditi facilis facer.

Has wisi placerat legendos in, eius lorem consequat in cum eruditi facilis facer.

Media & Text Block

Quam porttitor massa

Congue quisque egestas diam in arcu cursus euismod quis. Non curabitur gravida arcu ac. Adipiscing commodo elit at imperdiet dui accumsan sit amet nulla. Enim tortor at auctor urna nunc id cursus metus. Leo vel orci porta non pulvinar neque laoreet.

Dignissim sodales ut eu sem integer vitae justo eget. Quisque sagittis purus sit amet volutpat consequat.Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Egestas quis ipsum suspendisse ultrices gravida. At consectetur lorem donec massa sapien faucibus.

Pharetra pharetra massa massa ultricies mi quis hendrerit. Odio ut sem nulla pharetra diam sit amet. Magnis dis parturient montes nascetur ridiculus. Ac turpis egestas integer eget aliquet nibh praesent tristique. Quis vel eros donec ac odio tempor orci. Mi bibendum neque egestas congue quisque egestas. A cras semper auctor neque vitae tempus.

Table Block

ID First Name Last Name Profession
1 John Doe Entrepreneur
2 Michael Clarck Web Designer
3 Monica Sherif Author
4 Alex McLaren Analytic

Elit duis tristique sollicitudin nibh sit amet commodo nulla. Eget velit aliquet sagittis id consectetur. Elit sed vulputate mi sit amet mauris commodo quis. Eu feugiat pretium nibh ipsum consequat nisl vel pretium lectus. Hac habitasse platea dictumst vestibulum rhoncus est pellentesque elit ullamcorper. Dignissim sodales ut eu sem integer vitae justo eget.

Cover Image Block

Quisque sagittis purus sit amet volutpat consequat.Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Egestas quis ipsum suspendisse ultrices gravida. At consectetur lorem donec massa sapien faucibus. Quisque id diam vel quam elementum pulvinar etiam.

Left Aligned Image

Has wisi placerat legendos in, eu eos eius lorem consequat. In cum eruditi facilis, qui id facer scripserit. Ne vix nulla eirmod iracundia, vix et accusam officiis. Cum nobis munere partem ei.

Nostrud probatus postulant ex mea. An sit iusto maiestatis, eos cu tempor scriptorem. Has sumo facilisis te, pri essent accusam reprimique ut. Ei zril putent comprehensam his.

No sea docendi explicari, inermis iudicabit persequeris in eos, nam in rebum adolescens. No eius eligendi prodesset sit, mei illum debet ridens ad, persius dignissim hendrerit ex cum. Homero vidisse at pro.

Praesent erroribus rationibus at nec, quem graece eam ea. Ut omnes dolorum est, est nobis indoctum in, mea percipit invenire persecuti id. Quo eu aliquam vivendo argumentum. Ius lucilius forensibus complectitur no, modus libris cu eum, an purto detracto libris cu eum, an purto detracto forensibus complectitur.

Dictumst quisque sagittis purus sit amet volutpat consequat. Elit duis tristique sollicitudin nibh sit amet commodo nulla. Eget velit aliquet sagittis id consectetur. Elit sed vulputate mi sit amet mauris commodo quis. Eu feugiat pretium nibh ipsum consequat nisl vel pretium lectus. Hac habitasse platea dictumst vestibulum rhoncus est pellentesque elit ullamcorper. Dignissim sodales ut eu sem integer vitae justo eget. Quisque sagittis purus sit amet volutpat consequat.



Source link

U.S. CISA adds a flaw in Drupal Core to its Known Exploited Vulnerabilities catalog

10,000+ Vulnerabilities Found in One Month, and the Patching Problem Has Never Been More Obvious

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 98

Copyright © 2024 All Rights Reserved.