Particle.news
Get it on Google Play
Download on the App Store
3 ARTICLES
·
2h ago

Squidbleed Lets Shared Squid Proxies Leak Other Users' HTTP Requests

A 1997 FTP parser over-read can expose cleartext HTTP headers or tokens to an attacker who shares the proxy unless operators verify the patch or disable FTP.

Squidbleed Squid vulnerability
Image

Overview

  • Researchers at Calif.io disclosed CVE-2026-47729, nicknamed Squidbleed, describing a heap over-read in Squid's FTP directory-listing parser that dates to 1997 and can return residual memory from other users' requests.
  • The bug works when an attacker who can use the same Squid proxy controls an FTP server reachable by that proxy and sends a crafted listing that causes the parser to read past a buffer end.
  • Exposed data can include authorization headers, session tokens, and API keys from cleartext HTTP traffic or from Squid deployments that terminate TLS, while standard opaque HTTPS CONNECT tunnels are not affected.
  • A one-line null-terminator guard was merged upstream in April 2026 and incorporated into releases, but maintainers and distributions have given mixed signals about which stable builds include the fix so administrators must confirm the guard is present in their specific build.
  • Proof-of-concept code is public, researchers credited an AI model with helping find the bug, no in-the-wild exploitation had been reported at disclosure, and operators are advised to disable FTP if unused and to validate patches quickly to reduce risk.