Connect with us

Hi, what are you looking for?



Dozens of Squid Proxy Vulnerabilities Remain Unpatched 2 Years After Disclosure

Dozens of Squid caching proxy vulnerabilities remain unpatched two years after a researcher reported them to developers.

Supply chain attack

Dozens of vulnerabilities affecting the Squid caching and forwarding web proxy remain unpatched two years after a researcher responsibly disclosed them to developers.

Squid is a widely used open source proxy. According to the official site, “Many of you are using Squid without even knowing it! Some companies have embedded Squid in their home or office firewall devices, others use Squid in large-scale web proxy installations to speed up broadband and dialup internet access. Squid is being increasingly used in content delivery architectures to deliver static and streaming video/audio to internet users worldwide.”

The Squid security holes were discovered in 2021 by researcher Joshua Rogers, who this week disclosed the technical details of his findings. Rogers identified 55 vulnerabilities by targeting various components with fuzzing, manual code review and static analysis. 

According to the researcher, only a handful of flaws have been assigned CVE identifiers and 35 of them remain unpatched. 

Many of the vulnerabilities can lead to a crash, but some can also be exploited for arbitrary code execution.

“The Squid Team have been helpful and supportive during the process of reporting these issues. However, they are effectively understaffed, and simply do not have the resources to fix the discovered issues. Hammering them with demands to fix the issues won’t get far,” Rogers said.

The researcher pointed out that there are more than 2.5 million Squid instances exposed on the internet.

“With any system or project, it is important to regularly review solutions used in your stack to determine whether they are still appropriate,” the researcher said. “If you are running Squid in an environment which may suffer from any of these issues, then it is up to you to reassess whether Squid is the right solution for your system.”

Advertisement. Scroll to continue reading.

SecurityWeek has reached out to Squid developers for comment and will update this article if they respond. 

Related: Top 10 Security, Operational Risks From Open Source Code

Related: SBOMs – Software Supply Chain Security’s Future or Fantasy?

Related: GitLab Security Update Patches Critical Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.