cbcvebase.
CVE-2024-25617
published 2024-02-14

CVE-2024-25617: Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be…

PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
88.86%
99.8th percentile
Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version 6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5. There are no known workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2

Affected

11 ranges
VendorProductVersion rangeFixed in
debiansquid< squid 5.7-2+deb12u1 (bookworm)squid 5.7-2+deb12u1 (bookworm)
squid-cachesquid< 6.56.5
squid-cachesquid>= 3.0 < 6.56.5
squidsquid>= 0 < 4.13-10+deb11u34.13-10+deb11u3
squidsquid>= 0 < 5.7-2+deb12u15.7-2+deb12u1
squidsquid>= 0 < 6.5-16.5-1
squidsquid>= 0 < 6.5-16.5-1
squidsquid>= 0 < 4.10-1ubuntu1.114.10-1ubuntu1.11
squidsquid>= 0 < 4.10-1ubuntu1.124.10-1ubuntu1.12
squidsquid>= 0 < 4.10-1ubuntu1.104.10-1ubuntu1.10
squidsquid>= 0 < 5.7-0ubuntu0.22.04.45.7-0ubuntu0.22.04.4

Detection & IOCsextracted from sources · hover to see the quote

  • Squid is vulnerable when request_header_max_size or reply_header_max_size are set to values greater than 64KB; monitor for oversized HTTP headers sent to/from Squid proxy
  • Monitor Squid's cache.log for critical warnings about unsafe header size configuration values, which indicate exploitable conditions
  • Detect DoS attempts by monitoring for HTTP requests or responses with abnormally large headers directed at Squid proxy instances
  • ·Squid versions prior to 6.5 have unsafe default values for request_header_max_size and reply_header_max_size, making them vulnerable without any configuration change by the admin
  • ·Red Hat Enterprise Linux 7, 8, and 9 ship Squid with an unsafe default configuration and are confirmed vulnerable
  • ·Mitigation for pre-6.5 Squid: set both request_header_max_size and reply_header_max_size to 21KB in the Squid configuration file
  • ·Squid 6.5 and later use safe defaults for header size parameters, but will not prevent administrators from setting unsafe values — only a warning is emitted

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_ubuntu8.6HIGH
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.