CVE-2020-25097: 
Squid vulnerability analysis and mitigation

CVE-2020-25097 affects Squid versions through 4.13 and 5.x through 5.0.4. The vulnerability was discovered in March 2021 and stems from improper input validation that allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by security controls. This occurs specifically for certain uri_whitespace configuration settings (NVD, GitHub Advisory).

The vulnerability is caused by improper input validation in Squid's handling of HTTP requests. It has a CVSS v3.1 base score of 8.6 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. The issue specifically affects configurations with uriwhitespace set to 'allow', 'chop', or 'strip', as well as configurations without uriwhitespace specified (GitHub Advisory).

The vulnerability allows a trusted client to bypass Squid security controls through HTTP Request Smuggling, potentially leading to unauthorized access to services and disclosure of sensitive information. The vulnerability has been rated as having a Critical severity due to its potential for exposing protected services (GitHub Advisory, NetApp Advisory).

Two workarounds are available: either configure squid.conf with 'uriwhitespace deny' or configure with 'uriwhitespace encode'. For permanent remediation, users should upgrade to Squid versions 4.14 or 5.0.5 or later. Patches addressing this vulnerability for stable releases are available in the Squid patch archives (GitHub Advisory).