Squidbleed: 29-Year-Old Memory Leak Exposes Credentials in Squid Proxy

Squidbleed: A 29-Year-Old Memory Leak Exposes Credentials in Squid Proxy

Answer: The discovery of Squidbleed, a memory leak in the Squid caching proxy that has existed since 1997, reveals that legacy code in widely deployed infrastructure can harbor critical vulnerabilities that silently expose sensitive data for decades. Stat: The vulnerability, tracked as CVE-2026-47729, affects every version of Squid in its default configuration when handling cleartext HTTP or TLS-terminated traffic and able to reach an attacker-controlled FTP server. Why it matters: For organizations relying on Squid for caching, filtering, and monitoring, this flaw means that attackers could have been harvesting credentials, API keys, and session tokens from internal network traffic for nearly 30 years without detection.

Background: The Anatomy of a Legacy Vulnerability

Squid is a widely used open-source caching proxy server deployed by large corporations, schools, and internet service providers to cache, filter, and monitor network traffic. The vulnerability, dubbed Squidbleed by researcher Lam Jun Rong of Calif.io, was discovered with the assistance of Anthropic's Claude Mythos Preview. The bug resides in Squid's FTP directory listing parser, introduced in a commit (bb97dd37a) created in 1997 to support NetWare servers—a discontinued network operating system from the 1980s and 1990s.

The flaw occurs when an attacker-controlled FTP server returns a directory listing without a filename after the modification timestamp. The parser's loop, designed to skip extra whitespace, fails to check for the null terminator, causing it to walk off the end of the buffer and copy adjacent memory—including plaintext HTTP requests—back to the attacker as a filename. This heap overread can leak passwords, API keys, and session tokens from proxied traffic.

The vulnerability was reported to Squid maintainers in April 2026 and fixed in Squid v7.6, released June 8, 2026. The patch is simple: check for the null terminator before calling strchr.

Strategic Analysis: Who Gains, Who Loses

Winners: AI-Assisted Vulnerability Discovery

The discovery of Squidbleed underscores the growing role of AI in cybersecurity. Mythos Preview and Anthropic's Claude demonstrated the ability to analyze decades-old code and identify subtle memory corruption bugs that human reviewers missed. This success will likely accelerate adoption of AI-driven code auditing tools, particularly for legacy infrastructure software. Calif.io and Lam Jun Rong gain significant credibility, positioning themselves as leaders in AI-assisted vulnerability research.

Losers: Organizations with Unpatched Squid Deployments

Any organization running Squid without applying the June 2026 patch remains exposed. Given that the vulnerability has existed for 29 years, it is plausible that attackers have already exploited it in the wild, though no public reports have emerged yet. The risk is highest for organizations that use Squid in cleartext HTTP or TLS-terminating configurations and allow outbound FTP connections. Schools, ISPs, and large enterprises that have not modernized their proxy infrastructure are particularly vulnerable.

Technical Debt and Protocol Deprecation

The root cause of Squidbleed is Squid's continued support for FTP, a protocol that Chromium-based browsers stopped supporting years ago. As Rong notes, most organizations see close to zero legitimate FTP traffic. This incident highlights the security cost of maintaining legacy protocol support. Organizations should audit their proxy configurations and disable FTP unless absolutely necessary, removing the entire attack surface.

Market Impact: Accelerating the End of FTP in Proxies

The Squidbleed disclosure is likely to accelerate the deprecation of FTP support in proxy servers and other network infrastructure. Vendors will face pressure to remove legacy protocol handlers that introduce unnecessary risk. Additionally, the incident may spur regulatory scrutiny of open-source software used in critical infrastructure, potentially leading to mandates for regular code audits and vulnerability disclosure timelines.

For the cybersecurity industry, Squidbleed reinforces the value of AI-powered code analysis. Expect increased investment in tools that can automatically scan historical codebases for similar memory safety issues. The success of Mythos Preview and Claude in this discovery will be used as a case study to promote AI-assisted security reviews.

Outlook & Next Steps

Organizations using Squid should prioritize patching to Squid v7.6 or later. Additionally, they should disable FTP support in Squid configurations immediately. Over the next 30 days, watch for proof-of-concept exploits or active exploitation attempts. Security teams should review proxy logs for signs of anomalous FTP connections or data exfiltration. The broader industry should expect more disclosures of legacy vulnerabilities discovered through AI-assisted analysis, particularly in widely deployed open-source projects.

Final Take

Squidbleed is a stark reminder that the software we rely on today carries the baggage of decisions made decades ago. The fact that a 1997 commit for a long-dead operating system could compromise the security of modern networks is a testament to the hidden risks of technical debt. AI-assisted vulnerability discovery is no longer a novelty—it is a necessity for securing the digital infrastructure that underpins our economy. Organizations that fail to act on this disclosure are gambling with their most sensitive data.

Source: The Register