Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Squid Caching Proxy: Remote Code Execution Risk
OESA-2026-1551
Summary
If you're using Squid versions 6.3 and below, a hacker could potentially inject malicious code into your system through the proxy. This can happen if Squid is configured to process URNs. To fix this, update to version 6.4 or disable URN access permissions.
What to do
- Update squid to version 4.9-25.oe2003sp4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | squid | <= 4.9-25.oe2003sp4 | 4.9-25.oe2003sp4 |
Original title
squid security update
Original description
Squid is a high-performance proxy caching server. It handles all requests in a single, non-blocking, I/O-driven process and keeps meta data and implements negative caching of failed requests.
Security Fix(es):
Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management. This has been fixed in version 6.4. To work around this issue, disable URN access permissions.(CVE-2025-54574)
Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.(CVE-2025-62168)
Security Fix(es):
Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management. This has been fixed in version 6.4. To work around this issue, disable URN access permissions.(CVE-2025-54574)
Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.(CVE-2025-62168)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-54574 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-62168 Vendor Advisory
Published: 15 Mar 2026 · Updated: 15 Mar 2026 · First seen: 15 Mar 2026