Decades-Old Squid Proxy Flaw Squidbleed Exposes User Data – Veri Sızıntısı
Live
Search
Company
About Founder's Note Press & Media Privacy Policy Terms of Service FAQ Brand Kit
Products
HUBOne HUBCorp Coming Soon Veri Sızıntısı Android Coming Soon Veri Sızıntısı iOS Coming Soon Veri Sızıntısı Huawei Coming Soon Breach Radar Argus Flow Argus Engine LivePlatform
Technologies
What is Argus AI? Try on HUBOne What is Argus Flow? What is Argus Engine?
Blog Contact

Decades-Old Squid Proxy Flaw Squidbleed Exposes User Data

A critical vulnerability dubbed 'Squidbleed,' existing since 1997, has been discovered in the popular Squid Proxy software. The flaw has the potential to expose sensitive user data on shared networks.

A network proxy server and a data leak concept symbolizing the Squidbleed vulnerability.

What Happened

The cybersecurity world has been shaken by the discovery of a critical vulnerability that has existed unnoticed for nearly three decades. Security researchers at Calif.io have identified a memory leak vulnerability in Squid, a widely used open-source web proxy server, dating back to 1997. The researchers have dubbed it 'Squidbleed' due to its similarity to one of the most infamous vulnerabilities in cybersecurity history, Heartbleed in OpenSSL.

Officially tracked as CVE-2026-47729, this flaw lies in a core function of Squid, specifically in the component that parses FTP protocol data. Squid is used in millions of systems to manage internet traffic, save bandwidth, and improve access speeds through caching. These systems range from corporate networks to schools and public Wi-Fi hotspots. The fact that the vulnerability went undetected for so long highlights the potential risks lurking in legacy codebases and underscores the importance of regular code audits and modern security testing. Interestingly, the discovery of such an old and deeply embedded bug was aided by Anthropic's Claude Mythos AI model. This demonstrates how artificial intelligence is becoming a powerful tool in cybersecurity, particularly in identifying complex flaws that might be missed by the human eye.

What Data Was Leaked

The Squidbleed vulnerability directly targets users' sensitive information. Attackers exploiting this flaw can intercept data from unencrypted HTTP requests of other users sharing the same proxy server. This data includes highly critical information:

Has your email been leaked? Check for free — results in seconds.

Check Now →
  • Authentication Credentials: Information used to log into various websites and online services, such as usernames and passwords.
  • Session Tokens: Digital keys that keep a user logged into a website. If captured, an attacker can impersonate that user.
  • API Keys: Special keys that allow different applications to communicate with each other, often granting access to valuable data or functions.

The leakage of this information can lead to identity theft, financial fraud, and unauthorized access to corporate networks. Due to the nature of the vulnerability, the leak can occur silently and without the victim's knowledge. The scope of the exposed data depends on the nature of the unencrypted traffic passing through the proxy. While a large portion of the modern internet is encrypted with HTTPS, there are still instances, especially in enterprise and legacy environments, where sensitive data is transmitted over unencrypted HTTP. These environments are the most fertile ground for Squidbleed attacks. An incident of this nature holds a significant place in the ever-updating world of Data Breach News.

How Did the Attack Happen

The technical basis of the attack relies on a memory management error known as an 'out-of-bounds read.' The code component in Squid that processes FTP (File Transfer Protocol) traffic is able to read data beyond its allocated memory buffer. This 'overflow' region may contain leftover data from a previous HTTP request made by another user on the same proxy.

To execute the attack, the attacker needs to control an FTP server that is reachable from the proxy. The attack unfolds in the following steps:

  1. The attacker sets up their own malicious FTP server.
  2. The attacker triggers the target Squid proxy to send a request to this FTP server.
  3. When the proxy connects to the FTP server, the bug in the FTP parser is triggered, causing the program to start reading data outside its memory buffer.
  4. This read data consists of fragments of a previous HTTP request belonging to another user, which happens to be in that memory location.
  5. The attacker silently collects this leaked data through their FTP server.

The most concerning aspect of the vulnerability is that it does not affect standard HTTPS connections. If a user is using an end-to-end encrypted HTTPS tunnel (CONNECT method) through the proxy, their data is safe. However, if the proxy itself terminates the TLS encryption (i.e., decrypts the traffic at the proxy and then re-encrypts it) or if the traffic is entirely unencrypted HTTP, the data is at risk. This configuration is common in corporate networks for inspecting and filtering traffic.

Who Is Affected

Squidbleed poses a significant risk, especially in shared proxy environments. This means any setup where the internet traffic of multiple users or devices is routed through a single Squid proxy instance. Potentially affected environments include:

  • Corporate Networks: Companies that use proxies like Squid to manage, filter, and secure employee internet access.
  • Schools and Universities: Educational institutions that set up central proxy systems to control network traffic for students and staff.
  • Public Wi-Fi Networks: Wireless networks offered in places like hotels, cafes, and airports that route user traffic through a proxy.
  • Internet Service Providers (ISPs): Some providers that use proxies for caching and traffic optimization for their customers.

In these environments, an attacker on the same network could secretly siphon data from other users. An attacker connected to a public Wi-Fi in a coffee shop could potentially capture the email passwords or social media session information of other customers on the same network.

What You Can Do

For Squid proxy administrators and users, there are clear steps to mitigate the effects of this vulnerability. The Squid project has released updates to address the issue.

  • Update the Software: The most effective solution is to upgrade the Squid proxy software to a patched version. The vulnerability was fixed with a patch merged into Squid version 8 in April 2026. Additionally, Squid version 7.6, released in June 2026, also includes this patch. System administrators are urged to upgrade to one of these versions as soon as possible.
  • Disable FTP Support: If the FTP protocol is not used on your network, the safest approach is to disable FTP support in the Squid configuration to eliminate the risk entirely. Since the vulnerability is specifically in the FTP parser, disabling this protocol removes the attack vector.
  • Enforce Traffic Encryption: Enforce the use of end-to-end encryption (HTTPS) wherever possible. If TLS termination is used at the proxy, review the risks of this configuration and ensure that traffic does not remain unencrypted, even on the internal network.

What Is the Company Saying

The source article does not contain a direct official statement from the Squid project or its developers. However, the project's response to the vulnerability has been swift and effective. Following the disclosure, developers took action to resolve the issue and quickly integrated patches into the main codebase. The release of Squid 8 in April 2026 and Squid 7.6 in June 2026 demonstrates that the open-source community takes security notifications seriously and takes the necessary steps to protect its users. The researchers at Calif.io noted that, in addition to this finding, they have also discovered another high-severity vulnerability in OpenSSL and a DoS attack technique called HTTP/2 Bomb, which can quickly take servers offline, both with the help of AI.

Source

https://www.securityweek.com/decades-old-squid-proxy-flaw-squidbleed-can-expose-user-data/

Share This Article
X LinkedIn WhatsApp
← Previous Post Texas Parks & Wildlife Data Breach Affects 3 Million

Weekly Newsletter

Curated data breach news delivered to your inbox every week.