cbcvebase.
CVE-2024-25111
published 2024-03-06

CVE-2024-25111: Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked…

PriorityP356high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
65.25%
99.2th percentile
Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP Message. This bug is fixed in Squid version 6.8. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. There is no workaround for this issue.

Affected

13 ranges
VendorProductVersion rangeFixed in
debiansquid< squid 5.7-2+deb12u1 (bookworm)squid 5.7-2+deb12u1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
squid-cachesquid
squid-cachesquid>= 3.5.27 < 6.86.8
squidsquid>= 0 < 4.13-10+deb11u44.13-10+deb11u4
squidsquid>= 0 < 5.7-2+deb12u15.7-2+deb12u1
squidsquid>= 0 < 6.8-16.8-1
squidsquid>= 0 < 6.8-16.8-1
squidsquid>= 0 < 4.10-1ubuntu1.114.10-1ubuntu1.11
squidsquid>= 0 < 4.10-1ubuntu1.124.10-1ubuntu1.12
squidsquid>= 0 < 4.10-1ubuntu1.104.10-1ubuntu1.10
squidsquid>= 0 < 5.7-0ubuntu0.22.04.45.7-0ubuntu0.22.04.4

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition: sending a crafted, chunked, encoded HTTP Message to Squid proxy causes uncontrolled recursion in the HTTP Chunked decoder, resulting in denial of service (Squid stops responding)
  • Affected versions: Squid 3.5.27 through 6.7 (prior to 6.8); monitor for anomalous chunked Transfer-Encoding HTTP requests targeting Squid proxy listeners
  • Observable impact: Squid process stops responding entirely (not a crash/exit) — distinguish from other Squid DoS CVEs where the process crashes
  • ·Red Hat Enterprise Linux 6 and 7 ship an older Squid version that does NOT contain the vulnerable code introduced in 3.5.27; do not alert on those platforms
  • ·There is no configuration-level workaround available; detection/response must rely on patching to Squid 6.8 or applying the stable-release patches from Squid's patch archives

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian8.6HIGH
vendor_redhat8.6HIGH
vendor_ubuntu8.6HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.