Squid Proxy Bug 'Squidbleed' Exposes 29-Year-Old Flaw, AI Aids Discovery

Researchers at Calif.io disclosed a critical heap over-read vulnerability, named Squidbleed (CVE-2026-47729), in the Squid web proxy on June 22, 2026. The bug can leak cleartext HTTP requests from other users on the same proxy, including credentials and session tokens, and traces back to a 1997 FTP-parsing code change.

The flaw affects Squid versions dating to 1997, with the vulnerable code still active in default configurations. It earns a CVSS score of 6.5, rated moderate by SUSE, as it requires the attacker to already be a trusted client with proxy access. The primary impact is on confidentiality, not integrity or availability.

How the Squidbleed Attack Works

The bug resides in Squid's FTP directory-listing parser. When an attacker's FTP server sends a listing line ending immediately after the timestamp with no filename, a strchr-driven loop fails to stop at the null terminator, walking off the buffer. Squid then copies leaked memory back to the attacker as a filename. Since Squid reuses freed memory without zeroing, a 4KB buffer recently holding a victim's HTTP request can still contain most of it, with only the first few bytes overwritten by a short FTP line.

• Attackers need proxy access and control of an FTP server on port 21, which is enabled by default.
• The leak only works for cleartext HTTP traffic or TLS-terminating setups where Squid decrypts and inspects. Normal HTTPS CONNECT tunnels are opaque to Squid.
• Proof-of-concept code is public, with no in-the-wild exploitation reported as of late June 2026.
• SUSE rates the vulnerability as moderate with a CVSS score of 6.5, reflecting the limited attack vector.

Patch Confusion and AI Role

Patching has been inconsistent. Maintainer Amos Jeffries first said Squid 7.6 carried the fix, then corrected to 7.7. Debian's Salvatore Bonaccorso noted the referenced commit is already in 7.6. Squid 7.6 separately patches an unrelated cache_digest heap overflow (CVE-2026-50012). Researchers recommend disabling FTP entirely to remove the attack surface, as most networks carry little FTP traffic. The fix involves a null-terminator check before the vulnerable strchr calls, merged in April and v7 in May 2026.

Calif.io credits Anthropic's Claude Mythos Preview, an AI model, with identifying the strchr quirk nearly immediately. This follows a trend of AI agents surfacing buried parser bugs in projects like FFmpeg. Calif hints that Squid's FTP code may contain similar issues.

Implications and Next Steps

The Squidbleed vulnerability underscores the danger of legacy code persisting in default configurations for decades. With FTP widely deprecated in browsers like Chromium, disabling the protocol is a low-risk mitigation. Organizations using Squid should prioritize patching or disabling FTP, especially on shared networks like schools, offices, and public Wi-Fi. The discovery by AI also points to a future where automated tools routinely find such bugs, potentially outpacing manual audits. As of late June 2026, no active exploitation has been reported, but the proof-of-concept release raises the urgency for action.