cbcvebase.
CVE-2023-50269
published 2023-12-14

CVE-2023-50269: Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1…

PriorityP358high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
57.63%
99.0th percentile
Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives.

Affected

14 ranges
VendorProductVersion rangeFixed in
debiansquid< squid 5.7-2+deb12u1 (bookworm)squid 5.7-2+deb12u1 (bookworm)
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid3.1 – 5.9
squid-cachesquid6.0.1 – 6.5
squidsquid>= 0 < 4.13-10+deb11u34.13-10+deb11u3
squidsquid>= 0 < 5.7-2+deb12u15.7-2+deb12u1
squidsquid>= 0 < 6.6-16.6-1
squidsquid>= 0 < 6.6-16.6-1
squidsquid>= 0 < 4.10-1ubuntu1.94.10-1ubuntu1.9
squidsquid>= 0 < 5.7-0ubuntu0.22.04.35.7-0ubuntu0.22.04.3

Detection & IOCsextracted from sources · hover to see the quote

  • Attack vector: remote client sends a large/oversized X-Forwarded-For header to trigger Uncontrolled Recursion in Squid's HTTP Request parsing, leading to DoS (crash)
  • Exploit is only possible when 'follow_x_forwarded_for' is present in squid.conf — detection/hunting should focus on Squid instances with this directive enabled
  • Monitor Squid logs and process health for unexpected crashes correlated with inbound requests carrying abnormally large X-Forwarded-For headers
  • ·Mitigation (if patching is not immediately possible): remove all 'follow_x_forwarded_for' lines from squid.conf to eliminate the attack surface entirely

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian8.6HIGH
vendor_redhat8.6HIGH
vendor_ubuntu8.6HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.