Back to KEVs

CVE-2025-54574

Squid's URN Handling can lead to Buffer Overflow

Basic Information

CVE State
PUBLISHED
Reserved Date
July 25, 2025
Published Date
August 01, 2025
Last Updated
November 05, 2025
Vendor
squid-cache
Product
squid
Description
Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management. This has been fixed in version 6.4. To work around this issue, disable URN access permissions.

CVSS Scores

CVSS v3.1

9.3 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H

SSVC Information

Exploitation
none
Automatable
Yes
Technical Impact
partial

Exploit Status

Exploited in the Wild
Yes (2025-11-17 15:00:08 UTC) Source

References

https://github.com/squid-cache/squid/security/advisories/GHSA-w4gv-vw3f-29g3 https://github.com/squid-cache/squid/commit/a27bf4b84da23594150c7a86a23435df0b35b988 https://github.com/squid-cache/squid/releases/tag/SQUID_6_4

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-11-17 15:00:08 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel