A nearly 30-year-old vulnerability in the Squid web proxy, dubbed “Squidbleed” (CVE-2026-47729), can leak fragments of other users’ cleartext HTTP requests—including sensitive data like session cookies and authorization headers—to anyone already permitted to use the same proxy. The flaw originates from a 1997 FTP parsing change and remains present in Squid’s default configuration, resurfacing as a heap over-read that echoes the mechanics of the infamous Heartbleed bug.
The issue was disclosed in June by researchers at Calif.io, who found that Squid’s FTP directory listing parser can be tricked into reading beyond the bounds of a memory buffer. Squid notes that the attack requires a “trusted client” model: the attacker must already have access to the proxy, making shared environments like corporate networks, schools, and public Wi-Fi the primary risk zones. The leak is also limited to traffic visible to Squid itself, meaning encrypted HTTPS inside CONNECT tunnels is not exposed, but plain HTTP traffic and TLS-intercepting setups remain vulnerable.
At the core of the bug is a logic error in how Squid processes FTP directory listings. A malformed response from an attacker-controlled FTP server can cause the parser to mis-handle string termination, triggering a loop that reads past the end of a buffer. Because Squid reuses memory without fully zeroing it, those buffers may still contain remnants of previous users’ HTTP requests. In practice, this can allow an attacker to recover sensitive fragments—such as authentication headers—from other users sharing the same proxy.
While proof-of-concept code is publicly available, no active exploitation has been observed in the wild. The vulnerability has been partially addressed in Squid 7.x releases with a simple null-termination check, though some uncertainty remains across backported distribution patches. Security researchers recommend disabling FTP support entirely as the most effective mitigation, given its limited modern use. Rated CVSS 6.5, Squidbleed is not a system takeover bug, but a confidentiality risk that highlights how legacy parsing logic can quietly persist as an attack surface for decades.
