Squidbleed Bug Exposes HTTP Requests After 29 Years

Michael Miller · 2026-06-22

You might think a bug that's been sitting around for nearly three decades would have been caught by now. But here we are. A heap over-read vulnerability in the Squid web proxy can leak another user's cleartext HTTP request, including any credentials or session tokens it carries, to anyone already allowed to send traffic through the same proxy. It's a nasty surprise for anyone relying on Squid for security. ### What's the Big Deal? This isn't some obscure edge case. The bug traces back to a 1997 FTP-parsing change, and it's still live in Squid's default configuration. Researchers at Calif.io disclosed it in June and named it Squidbleed. Think of it like this: if you're sharing a proxy server with other users, an attacker who's already on that proxy could peek at your private data. That includes passwords, session cookies, and anything else sent over plain HTTP. It's like having a nosy neighbor reading your mail over your shoulder. ### How Does It Work? The vulnerability is a heap over-read. When Squid processes certain FTP responses, it can read beyond the allocated memory buffer. This extra data might contain parts of another user's HTTP request. Since this happens in shared memory, the leak is possible for anyone with access to the same proxy. Here's what makes it especially concerning: - It's been around since 1997, so it's baked into decades of configurations - It's enabled by default, meaning most Squid installations are vulnerable - It requires no special privileges beyond proxy access ### Who's at Risk? If you're using Squid as a forward proxy for your organization or personal use, you need to pay attention. The bug affects versions with the default configuration, which is common in enterprise setups. Small businesses and home users who set up Squid for caching or content filtering are also exposed. ### What Can You Do? First, check your Squid version. If it's older than the patched release, update immediately. The fix is straightforward: upgrade to the latest version that addresses Squidbleed. If you can't update right away, consider disabling FTP parsing in your Squid configuration. That's a temporary workaround, but it reduces the attack surface. For the long term, think about using HTTPS everywhere. Even if a proxy bug leaks data, encrypted traffic is still safe. Also, limit who can access your proxy. The fewer users, the lower the risk. ### The Takeaway This bug is a reminder that old code can harbor hidden dangers. A 1997 change seemed harmless at the time, but it's now a security risk. Stay vigilant, keep your software updated, and don't assume a default configuration is safe. If you're managing a Squid proxy, act now. Update your software, review your settings, and consider additional security measures like HTTPS and access controls. Your users' data depends on it.