CVE-2025-54574: 
Squid vulnerability analysis and mitigation

CVE-2025-54574 affects Squid, a caching proxy for the Web. The vulnerability was discovered in versions 6.3 and below, where Squid is susceptible to a heap buffer overflow and potential remote code execution when processing URN (Uniform Resource Name) due to incorrect buffer management. The issue was disclosed on July 31, 2025, and has been fixed in version 6.4. The vulnerability received a CVSS v3.1 score of 9.3 (Critical) (GitHub Advisory, NVD).

The vulnerability stems from incorrect buffer management when processing URN Trivial-HTTP responses. The heap buffer overflow condition occurs during URN processing, potentially allowing delivery of up to 4KB of Squid allocated heap memory to the client. The vulnerability affects multiple versions including Squid-4.x up to 4.17, Squid-5.x up to 5.9, and Squid-6.x up to 6.3. Squid versions older than 4.14 should be assumed vulnerable. The issue has been classified as CWE-122 (Heap-based Buffer Overflow) (GitHub Advisory).

The vulnerability can lead to remote code execution and data leakage. When exploited, the buffer overflow attack could result in the exposure of up to 4KB of Squid allocated heap memory to the client, potentially revealing security credentials or other confidential data (Security Online, GitHub Advisory).

The vulnerability has been patched in Squid version 6.4. For users unable to update immediately, a workaround is available by disabling URN access permissions through adding the following ACL rule to the Squid configuration: 'acl URN proto URN' followed by 'http_access deny URN'. Patches addressing this issue for stable releases can be found in the patch archives, with Squid 6 patch identified as a27bf4b (GitHub Advisory).