Squidbleed: 29-Year-Old Proxy Flaw Leaks Cleartext HTTP Credentials
A decades-old heap over-read vulnerability in Squid web proxy can expose cleartext HTTP requests—including credentials and session tokens—to other users on the same proxy. The bug, rooted in 1997 FTP-parsing code, remains active in default configurations.
TL;DR
- Squidbleed is a heap over-read in Squid proxy that leaks cleartext HTTP requests between users sharing the same proxy instance
- The vulnerability originates from FTP-parsing logic added in 1997 and persists in default Squid configurations
- Attackers with proxy access can intercept credentials, session tokens, and sensitive request data from other users
- Researchers at Calif.io disclosed the flaw in June 2026; patching and configuration hardening are critical for affected deployments
A critical information disclosure vulnerability dubbed Squidbleed has been discovered in the widely-deployed Squid web proxy. The flaw stems from a heap over-read condition that can leak another user's cleartext HTTP requests—including embedded credentials and session tokens—to any attacker with access to the same proxy instance.
The vulnerability's roots trace back to FTP-parsing code introduced in 1997, making it one of the longest-standing proxy security issues. Despite its age, the bug remains active in Squid's default configuration, putting organizations that rely on Squid for traffic filtering and caching at immediate risk.
Researchers at Calif.io disclosed the vulnerability in June 2026, highlighting the need for urgent patching and configuration review across affected deployments.
Technical Details and Attack Surface
- Heap over-read condition allows reading adjacent memory containing other users' HTTP request data
- Affects any environment where multiple users or services route traffic through the same Squid proxy
- Cleartext HTTP requests are fully exposed, including headers, cookies, and authentication tokens
- Vulnerability is present in default Squid configurations, requiring no special setup to exploit
- Attacker requires only basic proxy access to trigger and observe leaked data
Risk and Mitigation Recommendations
- Organizations using Squid should immediately apply security patches from the Squid project
- Review proxy access controls to limit who can send traffic through vulnerable instances
- Consider enforcing HTTPS/TLS for all traffic to prevent cleartext exposure even if heap leaks occur
- Audit logs for suspicious proxy activity or repeated requests from single users
- Evaluate alternative proxy solutions or isolated proxy instances for high-security environments
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.