CVE-2024-25111

HIGH

Squid <6.8 - DoS

Title source: llm

Description

Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP Message. This bug is fixed in Squid version 6.8. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. There is no workaround for this issue.

References (6)

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/03/msg00009.html

[Mailing List] https://lists.fedoraproject.org/archives/list/[email protected]/message/7R4KPSO3MQT3KAOZV7LC2GG3CYMCGK7H/

[Mailing List] https://lists.fedoraproject.org/archives/list/[email protected]/message/XWQHRDRHDM5PQTU6BHH4C5KGL37X6TVI/

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20240605-0001/

[Vendor Advisory] https://github.com/squid-cache/squid/security/advisories/GHSA-72c2-c3wm-8qxc

[Mailing List, Patch] http://www.squid-cache.org/Versions/v6/SQUID-2024_1.patch

Scores

CVSS v3 8.6

EPSS 0.0313

EPSS Percentile 86.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-674

Status published

Products (4)

fedoraproject/fedora 38

fedoraproject/fedora 39

netapp/bluexp

squid-cache/squid 3.5.27 - 6.8

Published Mar 06, 2024

Tracked Since Feb 18, 2026