Wiz
Vulnerability DatabaseCVE-2021-28652

CVE-2021-28652
Squid vulnerability analysis and mitigation

Overview

CVE-2021-28652 is a vulnerability discovered in Squid versions before 4.15 and 5.x before 5.0.6, disclosed on May 27, 2021. The vulnerability stems from incorrect parser validation in the Cache Manager API, which allows a trusted client to trigger memory leaks that can lead to a Denial of Service attack via an unspecified short query string. This vulnerability specifically affects clients with Cache Manager API access privileges (NVD, GitHub Advisory).

Technical details

The vulnerability is caused by a parser validation bug in the Cache Manager API that leads to memory leaks. The issue has a CVSS v3.1 Base Score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-401 (Missing Release of Memory after Effective Lifetime). The bug was discovered in the CacheManager::ParseUrl() function where incorrect parsing of URLs containing specific patterns could trigger memory leaks (Squid Bug).

Impact

The primary impact of this vulnerability is a Denial of Service condition affecting the Squid proxy server and potentially the machine it operates on. When exploited, the vulnerability allows trusted clients to trigger memory leaks that accumulate over time, eventually leading to resource exhaustion and service disruption (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in Squid versions 4.15 and 5.0.6. For systems unable to upgrade immediately, recommended workarounds include either disabling Cache Manager access entirely if not needed by adding 'http_access deny manager' in squid.conf before any 'allow' lines, or hardening Cache Manager access privileges through authentication and additional access controls beyond the default IP address restriction (GitHub Advisory).

Community reactions

The vulnerability was discovered by Joshua Rogers of Opera Software and fixed by Amos Jeffries of Treehouse Networks Ltd. Multiple Linux distributions including Debian, Ubuntu, and Fedora released security advisories and patches to address this vulnerability (Debian Security, Ubuntu Security, Fedora Update).

Additional resources

SourceThis report was generated using AI

Related Squid vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-54574CRITICAL9.8
  • SquidSquid
  • squid-sysvinit
NoYesAug 01, 2025
CVE-2025-62168HIGH7.5
  • SquidSquid
  • libecap
NoYesOct 17, 2025
CVE-2024-45802HIGH7.5
  • SquidSquid
  • squid-migration-script
NoYesOct 28, 2024
CVE-2025-59362MEDIUM4
  • SquidSquid
  • squid:4::libecap
NoYesSep 26, 2025
ELSA-2025-20935HIGHN/A
  • SquidSquid
  • squid
NoYesNov 25, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo