Skip to content

Squidbleed: 29-Year-Old Buffer Overflow Discovered in Squid Proxy

Key Points: A buffer overflow in Squid’s FTP parser enables extraction of user data such as session tokens and API keys in shared proxy environments; Squid 7.6 (June 2026) fixes the vulnerability.

Security firm Calif.io has identified a critical vulnerability (CVE-2026-47729) in Squid Proxy that has existed in the code since 1997. The flaw allows attackers to read unencrypted HTTP request data from other users out of memory.

The Squidbleed vulnerability (CVE-2026-47729) resides in the FTP parser of the open-source proxy tool Squid. The bug causes the parser to read beyond the boundaries of a memory buffer when processing FTP requests. This buffer may contain leftover unencrypted HTTP request data from earlier users. An attacker with control over an accessible FTP server can deliberately retrieve this data.

The risk particularly affects scenarios with shared proxy traffic – corporate networks, schools, public WiFi hotspots – where multiple users utilize the same Squid instance. Only unencrypted HTTP traffic and configurations where Squid itself terminates TLS are affected. Standard HTTPS connections tunneled transparently via Connect are not at risk. Potential data that could be extracted includes session tokens, API keys, and login credentials.

Calif.io analysts discovered the vulnerability using Anthropic’s Claude AI model. The same team previously uncovered CVE vulnerabilities in OpenSSL and the HTTP/2 Bomb attack using AI systems. Squid developers fixed the bug in April 2026 in development version 8 and released it in June 2026 with Squid 7.6. As a temporary workaround, it is recommended to disable FTP support in the proxy configuration if not essential.


Source: www.it-daily.net · Published June 24, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.1.

Share on: