CVE-2024-25111
published 2024-03-06CVE-2024-25111: Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked…
PriorityP356high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
65.25%
99.2th percentile
Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP Message. This bug is fixed in Squid version 6.8. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. There is no workaround for this issue.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | squid | < squid 5.7-2+deb12u1 (bookworm) | squid 5.7-2+deb12u1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | >= 3.5.27 < 6.8 | 6.8 |
| squid | squid | >= 0 < 4.13-10+deb11u4 | 4.13-10+deb11u4 |
| squid | squid | >= 0 < 5.7-2+deb12u1 | 5.7-2+deb12u1 |
| squid | squid | >= 0 < 6.8-1 | 6.8-1 |
| squid | squid | >= 0 < 6.8-1 | 6.8-1 |
| squid | squid | >= 0 < 4.10-1ubuntu1.11 | 4.10-1ubuntu1.11 |
| squid | squid | >= 0 < 4.10-1ubuntu1.12 | 4.10-1ubuntu1.12 |
| squid | squid | >= 0 < 4.10-1ubuntu1.10 | 4.10-1ubuntu1.10 |
| squid | squid | >= 0 < 5.7-0ubuntu0.22.04.4 | 5.7-0ubuntu0.22.04.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition: sending a crafted, chunked, encoded HTTP Message to Squid proxy causes uncontrolled recursion in the HTTP Chunked decoder, resulting in denial of service (Squid stops responding) ↗
- →Affected versions: Squid 3.5.27 through 6.7 (prior to 6.8); monitor for anomalous chunked Transfer-Encoding HTTP requests targeting Squid proxy listeners ↗
- →Observable impact: Squid process stops responding entirely (not a crash/exit) — distinguish from other Squid DoS CVEs where the process crashes ↗
- ·Red Hat Enterprise Linux 6 and 7 ship an older Squid version that does NOT contain the vulnerable code introduced in 3.5.27; do not alert on those platforms ↗
- ·There is no configuration-level workaround available; detection/response must rely on patching to Squid 6.8 or applying the stable-release patches from Squid's patch archives ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian8.6HIGH
vendor_redhat8.6HIGH
vendor_ubuntu8.6HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Squid vulnerability
vendor_ubuntu·2024-04-23·CVSS 8.6
CVE-2023-49288 [HIGH] Squid vulnerability
Title: Squid vulnerability
Summary: Squid could be made to crash if it received specially crafted network
traffic.
USN-6728-1 fixed vulnerabilities in Squid. The fix for CVE-2023-5824 caused
Squid to crash in certain environments on Ubuntu 20.04 LTS and was disabled
in USN-6728-2. The problematic fix for CVE-2023-5824 has now been corrected
and reinstated in this update.
We apologize for the inconvenience.
Original advisory details:
Joshua Rogers discovered that Squid incorrectly handled collapsed
forwarding. A remote attacker could possibly use this issue to cause Squid
to crash, resulting in a denial of service. This issue only affected Ubuntu
20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-49288)
Joshua Rogers discovered that Squid incorrectly handled certain structural
elements. A remo
Ubuntu
Squid regression
vendor_ubuntu·2024-04-11·CVSS 8.6
CVE-2023-5824 [HIGH] Squid regression
Title: Squid regression
Summary: USN-6728-1 introduced a regression in Squid.
USN-6728-1 fixed vulnerabilities in Squid. The fix for CVE-2023-5824 caused
Squid to crash in certain environments on Ubuntu 20.04 LTS. The problematic
fix has been reverted pending further investigation.
We apologize for the inconvenience.
Original advisory details:
Joshua Rogers discovered that Squid incorrectly handled collapsed
forwarding. A remote attacker could possibly use this issue to cause Squid
to crash, resulting in a denial of service. This issue only affected Ubuntu
20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-49288)
Joshua Rogers discovered that Squid incorrectly handled certain structural
elements. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of
Ubuntu
Squid vulnerabilities
vendor_ubuntu·2024-04-10·CVSS 8.6
CVE-2024-23638 [HIGH] Squid vulnerabilities
Title: Squid vulnerabilities
Summary: Several security issues were fixed in Squid.
Joshua Rogers discovered that Squid incorrectly handled collapsed
forwarding. A remote attacker could possibly use this issue to cause Squid
to crash, resulting in a denial of service. This issue only affected Ubuntu
20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-49288)
Joshua Rogers discovered that Squid incorrectly handled certain structural
elements. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of service. (CVE-2023-5824)
Joshua Rogers discovered that Squid incorrectly handled Cache Manager error
responses. A remote trusted client can possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2024-23638)
Joshua Rogers discovere
Red Hat
squid: Denial of Service in HTTP Chunked Decoding
vendor_redhat·2024-03-06·CVSS 8.6
CVE-2024-25111 [HIGH] CWE-674 squid: Denial of Service in HTTP Chunked Decoding
squid: Denial of Service in HTTP Chunked Decoding
Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP Message. This bug is fixed in Squid version 6.8. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. There is no workaround for this issue.
A flaw was found in Squid. This issue may allow a remote attacker to trigger an uncontrolled recursion bug when sending a specially crafted, chunked, encoded HTTP Message, resulting in a denial of service.
Statement: As this flaw allows
Debian
CVE-2024-25111: squid - Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8,...
vendor_debian·2024·CVSS 8.6
CVE-2024-25111 [HIGH] CVE-2024-25111: squid - Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8,...
Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP Message. This bug is fixed in Squid version 6.8. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. There is no workaround for this issue.
Scope: local
bookworm: resolved (fixed in 5.7-2+deb12u1)
bullseye: resolved (fixed in 4.13-10+deb11u4)
forky: resolved (fixed in 6.8-1)
sid: resolved (fixed in 6.8-1)
trixie: resolved (fixed in 6.8-1)
OSV
squid vulnerability
osv·2024-04-23·CVSS 7.5
CVE-2023-5824 [HIGH] squid vulnerability
squid vulnerability
USN-6728-1 fixed vulnerabilities in Squid. The fix for CVE-2023-5824 caused
Squid to crash in certain environments on Ubuntu 20.04 LTS and was disabled
in USN-6728-2. The problematic fix for CVE-2023-5824 has now been corrected
and reinstated in this update.
We apologize for the inconvenience.
Original advisory details:
Joshua Rogers discovered that Squid incorrectly handled collapsed
forwarding. A remote attacker could possibly use this issue to cause Squid
to crash, resulting in a denial of service. This issue only affected Ubuntu
20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-49288)
Joshua Rogers discovered that Squid incorrectly handled certain structural
elements. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of serv
OSV
squid regression
osv·2024-04-11·CVSS 7.5
CVE-2023-5824 [HIGH] squid regression
squid regression
USN-6728-1 fixed vulnerabilities in Squid. The fix for CVE-2023-5824 caused
Squid to crash in certain environments on Ubuntu 20.04 LTS. The problematic
fix has been reverted pending further investigation.
We apologize for the inconvenience.
Original advisory details:
Joshua Rogers discovered that Squid incorrectly handled collapsed
forwarding. A remote attacker could possibly use this issue to cause Squid
to crash, resulting in a denial of service. This issue only affected Ubuntu
20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-49288)
Joshua Rogers discovered that Squid incorrectly handled certain structural
elements. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of service. (CVE-2023-5824)
Joshua Rogers discovered that Squid
OSV
squid vulnerabilities
osv·2024-04-10·CVSS 7.5
CVE-2023-49288 [HIGH] squid vulnerabilities
squid vulnerabilities
Joshua Rogers discovered that Squid incorrectly handled collapsed
forwarding. A remote attacker could possibly use this issue to cause Squid
to crash, resulting in a denial of service. This issue only affected Ubuntu
20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-49288)
Joshua Rogers discovered that Squid incorrectly handled certain structural
elements. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of service. (CVE-2023-5824)
Joshua Rogers discovered that Squid incorrectly handled Cache Manager error
responses. A remote trusted client can possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2024-23638)
Joshua Rogers discovered that Squid incorrectly handled the HTTP Chunked
decoder. A r
OSV
CVE-2024-25111: Squid is a web proxy cache
osv·2024-03-06·CVSS 7.5
CVE-2024-25111 [HIGH] CVE-2024-25111: Squid is a web proxy cache
Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP Message. This bug is fixed in Squid version 6.8. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. There is no workaround for this issue.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.squid-cache.org/Versions/v6/SQUID-2024_1.patchhttps://github.com/squid-cache/squid/security/advisories/GHSA-72c2-c3wm-8qxchttps://lists.fedoraproject.org/archives/list/[email protected]/message/7R4KPSO3MQT3KAOZV7LC2GG3CYMCGK7H/https://lists.fedoraproject.org/archives/list/[email protected]/message/XWQHRDRHDM5PQTU6BHH4C5KGL37X6TVI/https://security.netapp.com/advisory/ntap-20240605-0001/http://www.squid-cache.org/Versions/v6/SQUID-2024_1.patchhttps://github.com/squid-cache/squid/security/advisories/GHSA-72c2-c3wm-8qxchttps://lists.debian.org/debian-lts-announce/2025/03/msg00009.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/7R4KPSO3MQT3KAOZV7LC2GG3CYMCGK7H/https://lists.fedoraproject.org/archives/list/[email protected]/message/XWQHRDRHDM5PQTU6BHH4C5KGL37X6TVI/https://security.netapp.com/advisory/ntap-20240605-0001/
2024-03-06
Published