CVE-2021-31807

MEDIUM

Squid Proxy Range Header DoS

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-31807. PoCs published by Joshua Rogers, including Metasploit module auxiliary/dos/http/squid_range_dos.

AI-analyzed exploit summary This Metasploit module exploits CVE-2021-31807, a denial-of-service vulnerability in Squid Proxy versions 3.0-4.1.4 and 5.0.1-5.0.5. It sends malformed Range headers to trigger assertions in Squid's range handler, causing a crash.

Description

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. An integer overflow problem allows a remote server to achieve Denial of Service when delivering responses to HTTP Range requests. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent.

Exploits (1)

metasploit WORKING POC
by Joshua Rogers · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/squid_range_dos.rb

This Metasploit module exploits CVE-2021-31807, a denial-of-service vulnerability in Squid Proxy versions 3.0-4.1.4 and 5.0.1-5.0.5. It sends malformed Range headers to trigger assertions in Squid's range handler, causing a crash.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Squid Proxy 3.0-4.1.4, 5.0.1-5.0.5
No auth needed
Prerequisites: Network access to the Squid proxy server
mistral-large-3 · analyzed Jun 05, 2026 Full analysis →

Scores

CVSS v3 6.5
EPSS 0.1597
EPSS Percentile 96.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-190
Status published
Products (19)
fedoraproject/fedora 33
fedoraproject/fedora 34
netapp/cloud_manager
squid-cache/squid 2.5.stable2
squid-cache/squid 2.5.stable3
squid-cache/squid 2.5.stable4
squid-cache/squid 2.5.stable5
squid-cache/squid 2.5.stable6
squid-cache/squid 2.5.stable7
squid-cache/squid 2.5.stable8
... and 9 more
Published Jun 08, 2021
Tracked Since Feb 18, 2026