cbcvebase.
CVE-2009-2855
published 2009-08-18

CVE-2009-2855: The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain…

PriorityP431medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
36.73%
98.3th percentile
The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function.

Affected

6 ranges
VendorProductVersion rangeFixed in
debiansquid< squid 2.7.STABLE7-1 (bookworm)squid 2.7.STABLE7-1 (bookworm)
squid-cachesquid
squidsquid>= 0 < 2.7.STABLE7-12.7.STABLE7-1
squidsquid>= 0 < 2.7.STABLE7-12.7.STABLE7-1
squidsquid>= 0 < 2.7.STABLE7-12.7.STABLE7-1
squidsquid>= 0 < 2.7.STABLE7-12.7.STABLE7-1

Detection & IOCsextracted from sources · hover to see the quote

pathsrc/HttpHeaderTools.c
  • The vulnerability is triggered via the external_acl_type directive using %{header:member} format where the member separator is not a comma. Monitor Squid configurations using 'external_acl_type' with non-comma delimiters in header extraction (e.g., %{Test:;test}) as these can trigger the infinite loop.
  • A crafted HTTP request header containing comma-delimited values sent to a Squid proxy configured with external_acl_type header extraction will cause 100% CPU utilization (infinite loop in strcspn). Monitor for sustained 100% CPU on Squid processes as an indicator of exploitation.
  • The vulnerable code path is in strListGetItem() within src/HttpHeaderTools.c. Patch or audit this function for infinite loop conditions when processing header list items with non-standard delimiters.
  • A minimal PoC squid.conf configuration that exposes the vulnerability uses: 'external_acl_type test %{Test:;test} /path/to/helper' with an ACL referencing it. Any Squid instance with such a config is exploitable by sending a header like 'Test: a, b, test=test'.
  • ·The vulnerability only affects Squid 2.7 (and likely 2.6 and earlier versions that introduced external_acl_type header extraction). It does NOT affect Red Hat Enterprise Linux 3 and 4 squid packages, nor Fedora 10 and 11.
  • ·The vulnerability is fixed in Squid 2.7.STABLE7-1 (Debian). The upstream fix is available in Squid-2.HEAD changeset 12541. Ensure the deployed Squid version is patched before relying on detection alone.
  • ·The issue is most commonly triggered when Squid is configured to use external_acl_type with cookie or custom header extraction using non-comma delimiters, not just auth headers as the CVE description implies.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.