Squid Caching Proxy Security Audit: 55 vulnerabilities and 35 0days

In February 2021, I started looking for vulnerabilities in forward-proxies, and found various issues in Squid. Some more information about what’s here can be found on my blog: https://joshua.hu/squid-security-audit-35-0days-45-exploits

Explanations and reproducers for each of the vulnerabilities are documented in each of the markdown files. IDs are assigned where possible, however since the majority of these remain unfixed, there are no identifiers.

The Squid Team have been helpful and supportive during the process of reporting these issues. However, they are effectively understaffed, and simply do not have the resources to fix the discovered issues. Hammering them with demands to fix the issues won’t get far.

With any system or project, it is important to reguarly review solutions used in your stack to determine whether they are still appropriate. If you are running Squid in an environment which may suffer from any of these issues, then it is up to you to reassess whether Squid is the right solution for your system.

Vulnerability CVE GHSA
Buffer Overflow in Digest Authentication CVE-2023-46847 GHSA-phqj-m8gv-cq4g
Use-After-Free in TRACE Requests CVE-2023-49288 GHSA-rj5h-46j6-q2g5
Partial Content Parsing Use-After-Free CVE-2021-31807 GHSA-pxwq-f3qr-w2xf
X-Forwarded-For Stack Overflow CVE-2023-50269 GHSA-wgq4-4cfg-c4x3
Chunked Encoding Stack Overflow    
Use-After-Free in Cache Manager Errors CVE-2024-23638 GHSA-j49p-553x-48rx
Cache Poisoning by Large Stored Response Headers (With Bonus XSS) CVE-2023-5824 GHSA-543m-w2m2-g255
Memory Leak in CacheManager URI Parsing CVE-2021-28652  
RFC 2141 / 2169 (URN) Response Parsing Memory Leak CVE-2021-28651  
Memory Leak in HTTP Response Parsing    
Memory Leak in ESI Error Processing    
1-Byte Buffer OverRead in RFC 1123 date/time Handling CVE-2023-49285 GHSA-8w9r-p88v-mmx9
Null Pointer Dereference in Gopher Response Handling CVE-2023-46728 GHSA-cg5h-v6vc-w33f
One-Byte Buffer OverRead in HTTP Request Header Parsing    
strlen(NULL) Crash Using Digest Authentication   GHSA-254c-93q9-cp53
Assertion in ESI Header Handling    
Integer Overflow in Range Header CVE-2021-31808 GHSA-pxwq-f3qr-w2xf
Gopher Assertion Crash    
Whois Assertion Crash    
Assertion in Gopher Response Handling CVE-2021-46784  
RFC 2141 / 2169 (URN) Assertion Crash    
Vary: Other HTTP Response Assertion Crash CVE-2021-28662  
Assertion in Negotiate/NTLM Authentication Using Pipeline Prefetching    
Assertion on IPv6 Host Requests with –disable-ipv6    
Assertion Crash on Unexpected “HTTP/1.1 100 Continue” Response Header    
Pipeline Prefetch Assertion With Double ‘Expect:100-continue’ Request Headers    
Pipeline Prefetch Assertion With Invalid Headers    
Assertion Crash in Deferred Requests    
Assertion in Digest Authentication    
FTP URI Assertion CVE-2023-46848 GHSA-2g3c-pg7q-g59w
FTP Authentication Crash    
Unsatisfiable Range Requests Assertion CVE-2021-31806 GHSA-pxwq-f3qr-w2xf
Crash in Content-Range Response Header Logic CVE-2021-33620 GHSA-572g-rvwr-6c7f
Assertion Crash In HTTP Response Headers Handling    
Implicit Assertion in Stream Handling    
Buffer UnderRead in SSL CN Parsing CVE-2023-46724 GHSA-73m6-jm96-c6r3
Use-After-Free in ESI ‘Try’ (and ‘Choose’) Processing    
Use-After-Free in ESI Expression Evaluation    
Buffer Underflow in ESI   GHSA-wgvf-q977-9xjg
Assertion in Squid “Helper” Process Creator CVE-2023-49286 GHSA-xggx-9329-3c27
Assertion Due to 0 ESI ‘when’ Checking   GHSA-4g88-277m-q89r
Assertion Using ESI’s When Directive   GHSA-4g88-277m-q89r
Assertion in ESI Variable Assignment (String)    
Assertion in ESI Variable Assignment    
Null Pointer Dereference In ESI’s esi:include and esi:when