Critical Vulnerability in Squid Allows Remote Code Execution by Attackers

A critical security vulnerability has been identified in Squid Web Proxy Cache, allowing attackers to execute remote code via a heap buffer overflow in URN (Uniform Resource Name) handling. This vulnerability, tracked as CVE-2025-54574, impacts all Squid versions prior to 6.4 and has been rated with a critical severity level due to its potential for significant system compromise. The flaw arises from improper buffer management in Squid’s URN processing mechanism, which can be exploited remotely. Attackers can potentially access up to 4KB of Squid’s allocated heap memory, which may contain sensitive information such as credentials and authentication tokens. The vulnerability affects a wide range of Squid versions, including all Squid-4 versions up to 4.17, all Squid-5 versions up to 5.9, and all Squid-6 versions up to 6.3. Legacy versions prior to Squid 4.14 are presumed vulnerable, further expanding the attack surface.

To mitigate this vulnerability, organisations are advised to implement immediate protective measures while planning for system updates. The primary workaround involves disabling URN access permissions through configuration changes using Access Control Lists (ACL). By applying the configuration “acl URN proto URN” followed by “http_access deny URN,” organisations can effectively block URN protocol requests and prevent exploitation of the vulnerable code path. The Squid development team has released version 6.4 as the patched release, with the specific fix documented in commit a27bf4b84da23594150c7a86a23435df0b35b988. Security researchers StarryNight discovered the vulnerability, while the Measurement Factory developed and implemented the fix. System administrators should prioritise updating to the latest version of Squid to ensure security.