A critical vulnerability has been discovered in the Squid web proxy, allowing attackers to leak sensitive information of users who share the same proxy server. Researchers at Calif.io dubbed this bug “Squidbleed” and reported it in June.
The issue lies in a 1997 FTP-parsing change that is still present in Squid’s default configuration. It creates a situation where an attacker already permitted to use the proxy can access another user’s cleartext HTTP request, including credentials or session tokens.
To exploit this vulnerability, the attacker needs control over an FTP server on port 21 and the proxy server must be configured to allow FTP traffic. The bug affects only those users whose traffic Squid reads, excluding HTTPS traffic that uses an opaque CONNECT tunnel.
The leak occurs due to a faulty FTP directory-listing parser in Squid’s code. When an attacker sends a listing line with no filename, the parser over-reads and copies sensitive information back to the attacker as a filename.
Squid releases have patched this vulnerability, but users are advised not to just update their version, but also verify the fix. The best approach is to disable FTP traffic, which can be done for free by disabling it in the proxy settings.
While the risk of exploitation is real, it’s considered moderate due to the attacker needing low privileges and only affecting confidentiality. Other similar issues have been discovered in other systems, highlighting the need for vigilance in software maintenance.
Source: https://thehackernews.com/2026/06/29-year-old-squid-proxy-bug-squidbleed.html