cbcvebase.
CVE-2025-54574
published 2025-08-01

CVE-2025-54574: Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
23.46%
97.5th percentile
Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management. This has been fixed in version 6.4. To work around this issue, disable URN access permissions.

Affected

6 ranges
VendorProductVersion rangeFixed in
debiansquid< squid 5.7-2+deb12u3 (bookworm)squid 5.7-2+deb12u3 (bookworm)
squid-cachesquid< 6.46.4
squidsquid>= 0 < 4.13-10+deb11u54.13-10+deb11u5
squidsquid>= 0 < 5.7-2+deb12u35.7-2+deb12u3
squidsquid>= 0 < 6.5-16.5-1
squidsquid>= 0 < 6.5-16.5-1

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered during URN (Uniform Resource Name) processing in Squid's core request-handling path — monitor or block URN-scheme requests to Squid proxy instances
  • Heap-based buffer overflow occurs specifically in the URN processing code path; focus memory/crash analysis and exploit detection on URN request handling within Squid
  • ·Workaround: disable URN access permissions in Squid configuration to prevent exploitation until patching is possible
  • ·Affected versions are Squid 6.3 and below; fixed in Squid 6.4 (upstream) and Debian-specific fixed versions: bookworm 5.7-2+deb12u3, bullseye 4.13-10+deb11u5, forky/sid/trixie 6.5-1
  • ·Red Hat Enterprise Linux 10 squid package is listed as Not Affected; RHEL 6 packages (squid, squid34) are out of support scope

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.