CVE-2023-46728
SQUID-2021:8 Denial of Service in Gopher gateway
In short
Squid proxy has a bug in its Gopher gateway that can crash the service when receiving certain responses, even from legitimate servers. This causes a denial of service where the proxy stops working for all users.
Technical detail
A NULL pointer dereference in Squid's Gopher protocol handler allows remote attackers to trigger a denial of service by sending specially crafted responses. The Gopher gateway is enabled by default in versions prior to 6.0.1, and exploitation requires only network access to a Gopher server.
Summary generated and translated by AI from the official description.
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1. Responses triggering this bug are possible to be received from any gopher server, even those without malicious intent. Gopher support has been removed in Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should reject all gopher URL requests.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
squid-cache · squidWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/squid-cache/squid/commit/6ea12e8fb590ac6959e9356a81aa3370576568c3https://github.com/squid-cache/squid/security/advisories/GHSA-cg5h-v6vc-w33fhttps://lists.debian.org/debian-lts-announce/2025/09/msg00027.htmlhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/https://security.netapp.com/advisory/ntap-20231214-0006/