CVE-2024-37894

Squid vulnerable to heap corruption in ESI assign

CVSS 6.3 MEDIUMEPSS 6.3%CWE-787

In short

Squid, a web caching tool, has a flaw in how it handles ESI variables that can overwrite memory it shouldn't touch. An attacker can exploit this to crash the service or cause it to malfunction.

Technical detail

An out-of-bounds write vulnerability exists in Squid's ESI (Edge Side Includes) variable assignment mechanism, allowing an attacker to corrupt heap memory. Exploitation requires crafted ESI content processing; the vulnerability can result in denial of service through application crash or undefined behavior.

Summary generated and translated by AI from the official description.

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Out-of-bounds Write error when assigning ESI variables, Squid is susceptible to a Memory Corruption error. This error can lead to a Denial of Service attack.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H

Affected products

squid-cache · squid

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/squid-cache/squid/commit/f411fe7d75197852f0e5ee85027a06d58dd8df4c.patch https://github.com/squid-cache/squid/security/advisories/GHSA-wgvf-q977-9xjg https://lists.debian.org/debian-lts-announce/2025/03/msg00009.html https://security.netapp.com/advisory/ntap-20240719-0001/