CVE-2025-54574 – Squid caching proxy versions 6.3 and below cont... (How to Fix)

Q: What is the severity of CVE-2025-54574?

CVE-2025-54574 has a CVSS score of 9.3 (CRITICAL). Squid caching proxy versions 6.3 and below contain a heap buffer overflow vulnerability in URN processing that could allow remote attackers to execute arbitrary code. This affects all systems running vulnerable Squid versions with URN enabled. Attackers could potentially take control of Squid servers.

📋 TL;DR

Squid caching proxy versions 6.3 and below contain a heap buffer overflow vulnerability in URN processing that could allow remote attackers to execute arbitrary code. This affects all systems running vulnerable Squid versions with URN enabled. Attackers could potentially take control of Squid servers.

💻 Affected Systems

Products:

Squid caching proxy

Versions: All versions up to and including 6.3

Operating Systems: All operating systems running Squid

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires URN functionality to be enabled and accessible.

📦 What is this software?

Squid by Squid Cache

View all CVEs affecting Squid →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Service disruption, denial of service, or limited code execution depending on exploit sophistication and system hardening.

🟢

If Mitigated

Denial of service or service disruption if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specially crafted URN requests to vulnerable Squid instances.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4

Vendor Advisory: https://github.com/squid-cache/squid/security/advisories/GHSA-w4gv-vw3f-29g3

Restart Required: Yes

Instructions:

1. Download Squid 6.4 from official sources. 2. Stop Squid service. 3. Backup configuration. 4. Install new version. 5. Restart Squid service.

🔧 Temporary Workarounds

Disable URN access permissions

all

Prevents exploitation by disabling URN functionality entirely

Edit squid.conf and add: 'deny urn' to appropriate ACL sections or disable URN protocol support

🧯 If You Can't Patch

Implement network segmentation to restrict access to Squid servers
Deploy WAF or IPS rules to block suspicious URN requests

🔍 How to Verify

Check if Vulnerable:

Check Squid version and verify URN functionality is enabled in configuration

Check Version:

squid -v | grep Version

Verify Fix Applied:

Confirm Squid version is 6.4 or higher and test URN functionality

📡 Detection & Monitoring

Log Indicators:

Unusual URN request patterns
Squid crash logs
Memory access violation errors

Network Indicators:

Malformed URN requests
Unusual traffic to Squid URN ports

SIEM Query:

source="squid" AND (uri="urn:*" OR protocol="URN") AND (status="ERROR" OR status="DENIED")

📊 Metadata

CVE ID: CVE-2025-54574

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H

CWE: CWE-122

EPSS Score: 1.39% exploit probability (80.1th percentile)

Published: August 1, 2025

Last Updated: November 5, 2025

🔗 References

https://github.com/squid-cache/squid/commit/a27bf4b84da23594150c7a86a23435df0b35b988 Patch
https://github.com/squid-cache/squid/releases/tag/SQUID_6_4 Release Notes
https://github.com/squid-cache/squid/security/advisories/GHSA-w4gv-vw3f-29g3 Mitigation,Patch,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/11/05/5
https://lists.debian.org/debian-lts-announce/2025/09/msg00027.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54574, you might also want to check these: