Squid: a 29-Year-Old Bug Allows Reading Others' Passwords

A 29-year-old bug in the open-source proxy Squid allows anyone sharing the same network to intercept fragments of other users' clear HTTP requests, including the credentials that pass through it. Researchers from Calif.io discovered it and named it Squidbleed (CVE-2026-47729), in homage to Heartbleed, the vulnerability that exposed server memory in 2014 using the same mechanism.

According to the researchers, the anomaly was identified by the Claude Mythos Preview model from Anthropic, linked to the so-called Project Glasswing. This case adds to the buried vulnerabilities in widely used open-source software that AI agents are bringing to light, following recent incidents like that of FFmpeg. Exploiting Squidbleed requires two precise conditions:

1. The attacker must already be an authorized user of the same proxy, a typical scenario in shared networks such as schools, offices, or public Wi-Fi.
2. The proxy must also reach an FTP server under the attacker’s control on port 21, which is active by default along with FTP support.

The leak only concerns the traffic that Squid can read. Normal HTTPS travels through an opaque CONNECT tunnel that the proxy does not inspect, so only unencrypted HTTP traffic, along with configurations terminating TLS to decrypt and analyze traffic in transit, remains exposed.

How the Squidbleed Bug Works

The vulnerability hides in the FTP directory listing parser of Squid, written in 1997 to manage old NetWare servers that filled the lines with unnecessary spaces. The code discards them with a loop based on the strchr function, designed to stop at the first valid character.

If the attacker’s FTP server sends a line that ends right after the timestamp, without any file name, the pointer ends up on the null terminator of the string. The strchr still considers it a valid character, the loop does not stop, and the code copies everything it finds in memory beyond the buffer limit, returning it as if it were a file name.

That memory, in most cases, is not empty. Squid reuses freed buffers without zeroing them, so a 4 KB block that previously hosted another person's request still retains much of its content. In the researchers' demo, the over-read returned an Authorization header sufficient to impersonate the victim. The proof of concept code is public on GitHub, and so far no real exploitation campaigns have been reported.

Patches and Recommendations

The fix is minimal; an additional check before the incriminated strchr calls has been integrated into the development branch in April 2026 and in version 7 in May 2026. However, communication regarding the affected versions has been contradictory: maintainer Amos Jeffries initially indicated Squid 7.6, then 7.7, as the corrected releases, while Debian reported that the patch seems to already be present in 7.6.

Those applying the update should verify the presence of the check directly in the FtpGateway.cc file and not just rely on the version number: distributions package their own builds, and Debian still distributes the old Squid 5.7. Version 7.6 also separately fixes an overflow in cache_digest cataloged as CVE-2026-50012, which is not connected to Squidbleed.

The simplest solution remains to disable FTP support in the Squid configuration: Chromium has abandoned it for years, and most networks no longer use it, so removing it eliminates the attack surface regardless of the installed version. SUSE rates the severity as moderate, with a CVSS score of 6.5: the vector does indeed require already authorized access to the proxy, and the impact remains limited to data confidentiality, with no adverse effects on the integrity or availability of the services.