Dozens of vulnerabilities within the widely used Squid caching and forwarding web proxy have remained unaddressed for two years after being reported by researcher Joshua Rogers.
Squid, an open-source proxy, plays a significant role in home and office firewall devices, large-scale web proxy setups, and content delivery infrastructures. These vulnerabilities, totaling 55, were identified through comprehensive testing methods like fuzzing, manual code review, and static analysis. Although a few flaws received CVE identifiers, 35 of them remain unpatched, some of which can lead to system crashes or enable arbitrary code execution. Despite the cooperative engagement of the Squid Team, resource limitations have prevented prompt fixes, and over 2.5 million Squid instances are exposed on the internet, posing security risks.
Rogers expressed gratitude for the assistance provided by the Squid Team during the disclosure process but acknowledged their resource constraints, which hindered the resolution of the identified vulnerabilities. Addressing these issues has proved challenging, given the Squid Team’s limited capacity.
As the researcher emphasized, there’s a vital need for users to review the suitability of Squid within their technology stack, particularly if their environment is vulnerable to the existing flaws. In light of the vulnerabilities and their impact on system security, individuals and organizations are encouraged to consider alternatives to Squid.
SecurityWeek has reached out to Squid developers for their comments, and further updates will be provided if they respond, shedding more light on the unaddressed security concerns related to Squid.