Squidbleed: A 29-Year-Old Bug That Can Still Expose Sensitive Data

June 22, 2026 Faeem BLOGS 0

Overview

A newly disclosed vulnerability named Squidbleed (CVE-2026-47729) has highlighted how legacy code can continue to create modern security risks.

The vulnerability affects the widely used Squid proxy server and can allow one authorised proxy user to retrieve portions of another user’s cleartext HTTP requests. In some cases, this could expose authentication headers, session tokens, cookies, and other sensitive information.

What makes Squidbleed particularly interesting is that the underlying flaw dates back to a code change introduced in 1997 and has remained present in Squid’s default configuration ever since.

Vulnerability Breakdown

Squidbleed is a heap over-read vulnerability found within Squid’s FTP directory-listing parser.

An attacker who already has access to the same Squid proxy can use a specially crafted FTP server to trigger the flaw. Because Squid may reuse memory buffers without clearing them, portions of previous HTTP requests can be leaked back to the attacker.

The vulnerability primarily impacts:

  • Cleartext HTTP traffic
  • Environments using SSL/TLS inspection
  • Shared proxy deployments
  • Educational institutions
  • Corporate networks
  • Public Wi-Fi environments

Traditional HTTPS traffic using standard CONNECT tunnels is largely protected because Squid cannot inspect the encrypted content.

How the Attack Works

The attack requires several conditions:

  • The attacker must already be authorised to use the proxy.
  • FTP support must be enabled.
  • The attacker must control an FTP server on port 21.

Once triggered, the vulnerable FTP parser reads beyond the intended memory boundary and may return residual data from previous user requests.

Researchers demonstrated the ability to recover HTTP Authorization headers, providing enough information to potentially impersonate another user.

Defensive Recommendations

Organisations using Squid should:

  • Apply the latest vendor patches.
  • Verify that the fix has been backported if using distribution-specific packages.
  • Disable FTP support if it is no longer required.
  • Restrict proxy access to authorised users only.
  • Monitor for unexpected FTP activity.
  • Review environments performing SSL/TLS inspection.

For many organisations, disabling FTP entirely may be the simplest and most effective mitigation.

Expert in the Cloud Insight

Squidbleed is a reminder that some of the biggest security risks are not always new vulnerabilities. They are often old features, old protocols, and old code that remain enabled long after their original purpose has disappeared.

Most organisations rarely use FTP today, yet in many environments the functionality remains available simply because nobody has revisited the configuration.

The lesson here is simple: reducing attack surface is just as important as patching vulnerabilities. If a service is no longer required, disable it. If a protocol is obsolete, remove it. Security often improves most when complexity is reduced.

Expert in the Cloud – The Future Is Now

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.