CVE-2024-25111

HIGH

Squid 3.5.27-6.7 - Denial of Service via HTTP Chunked Decoder Uncontrolled Recursion

Title source: llm

Description

Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP Message. This bug is fixed in Squid version 6.8. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. There is no workaround for this issue.

References (6)

Core 6

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2025/03/msg00009.html

Mailing List

https://lists.fedoraproject.org/archives/list/[email protected]/message/7R4KPSO3MQT3KAOZV7LC2GG3CYMCGK7H/

Mailing List

https://lists.fedoraproject.org/archives/list/[email protected]/message/XWQHRDRHDM5PQTU6BHH4C5KGL37X6TVI/

Third Party Advisory

https://security.netapp.com/advisory/ntap-20240605-0001/

Vendor Advisory x_refsource_confirm

https://github.com/squid-cache/squid/security/advisories/GHSA-72c2-c3wm-8qxc

Mailing List, Patch x_refsource_misc

http://www.squid-cache.org/Versions/v6/SQUID-2024_1.patch

Scores

CVSS v3 8.6

EPSS 0.6525

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-674

Status published

Products (4)

fedoraproject/fedora 38

fedoraproject/fedora 39

netapp/bluexp

squid-cache/squid 3.5.27 - 6.8

Published Mar 06, 2024

Tracked Since Feb 18, 2026