CVE-2024-45802

Squid Denial of Service

CVSS 7.5 HIGHEPSS 45.3%CWE-20

In short

Squid, a web caching proxy, can be crashed or become unavailable when a trusted server sends specially crafted requests, affecting all users relying on that proxy. This happens because Squid doesn't properly validate input and manage resources, allowing the server to trigger a denial of service.

Technical detail

A trusted upstream server can exploit input validation flaws and improper resource management (premature release during expected lifetime and missing release after effective lifetime) in Squid to trigger a denial of service condition affecting all downstream clients. The vulnerability requires a trusted server in the attack chain and is mitigated in Squid 6.10 default configuration.

Summary generated and translated by AI from the official description.

Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to Input Validation, Premature Release of Resource During Expected Lifetime, and Missing Release of Resource after Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks by a trusted server against all clients using the proxy. This bug is fixed in the default build configuration of Squid version 6.10.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

squid-cache · squid

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj https://lists.debian.org/debian-lts-announce/2025/03/msg00009.html https://security.netapp.com/advisory/ntap-20250103-0004/