CVE-2025-54574 PUBLISHED

Squid's URN Handling can lead to Buffer Overflow

Assigner: GitHub_M
Reserved: 25.07.2025 Published: 01.08.2025 Updated: 01.08.2025

Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management. This has been fixed in version 6.4. To work around this issue, disable URN access permissions.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H
CVSS Score: 9.3

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	squid-cache
Product	squid
Versions	Version < 6.4 is affected

References

https://github.com/squid-cache/squid/security/advisories/GHSA-w4gv-vw3f-29g3
https://github.com/squid-cache/squid/commit/a27bf4b84da23594150c7a86a23435df0b35b988
https://github.com/squid-cache/squid/releases/tag/SQUID_6_4

Problem Types

CWE-122: Heap-based Buffer Overflow CWE