What is Squidbleed (CVE-2026-47729) and where was it discovered?

Squidbleed is a vulnerability in the Squid web proxy that leaks cleartext HTTP requests from other users. It was discovered by researchers at Calif.io, with assistance from Anthropic's Claude Mythos Preview AI.

How does the Squidbleed vulnerability work?

The bug allows an authorized proxy user to retrieve fragments of another user's HTTP requests by exploiting a loop that runs past the buffer due to improper handling of NUL characters in Squid's FTP directory listing parser.

Which industries are most affected by the Squidbleed vulnerability?

Adult-industry platforms and operators that rely on web proxies like Squid to manage traffic are particularly vulnerable, as the bug can allow authorized users to access sensitive information from other users.

What is the recommended solution for mitigating the Squidbleed vulnerability?

Researchers recommend patching or disabling FTP to eliminate the attack surface, as most networks no longer carry this protocol. The fix requires only two characters.

Squidbleed Vulnerability Exposed: Cleartext Data Leak in Widely Used Web Proxy

Q: Why is it important to perform regular security audits and updates in shared environments like schools, businesses, and public Wi-Fi networks?

Regular security audits and updates are crucial in these settings because the Squidbleed vulnerability has been present for nearly three decades, suggesting that undetected flaws may exist.

A 29-year-old flaw in Squid web proxy, named Squidbleed (CVE-2026-47729), leaks cleartext HTTP requests, including sensitive data. Learn about its implications and mitigation strategies.

A 29-year-old vulnerability in the Squid web proxy, dubbed Squidbleed (CVE-2026-47729), has been discovered to leak cleartext HTTP requests from other users, including credentials and session tokens. The bug, which was introduced in 1997, can be exploited by an authorized proxy user to retrieve fragments of another user's HTTP requests. Researchers at Calif.io reported the flaw, crediting Anthropic's Claude Mythos Preview AI for its discovery.

Background and Context

Squid is a widely used web proxy that is often deployed in shared environments such as schools, businesses, and public Wi-Fi networks to cache, filter, or inspect traffic. The bug resides in Squid's FTP directory listing parser, specifically in code written to handle old NetWare FTP servers. In 1997, a commit was made to insert four spaces between the timestamp and filename in FTP listings, which led to the introduction of this vulnerability.

The researchers at Calif.io discovered that when a listing line ends right after the timestamp with no filename, the pointer lands on the string terminator (\0). However, at runtime, the standard library function strchr treats this final NUL as part of the string and returns a pointer instead of NULL. This causes the loop to run past the buffer, allowing an attacker to retrieve fragments of another user's HTTP requests.

Why it Matters to the Industry

The Squidbleed vulnerability has significant implications for adult-industry platforms and operators that rely on web proxies like Squid to manage traffic. The bug can be exploited by an authorized proxy user, which means that even legitimate users of the proxy can potentially access sensitive information from other users. This could lead to unauthorized access to private data, including credentials and session tokens.

The vulnerability also highlights the importance of regular security audits and updates in shared environments like schools, businesses, and public Wi-Fi networks. Squid is commonly used in these settings, and the bug has been present for nearly three decades, suggesting that it may have gone undetected for a long time.

What Comes Next

The researchers at Calif.io recommend patching or disabling FTP to mitigate the vulnerability. Disabling FTP removes the attack surface entirely, as most networks no longer carry this protocol. The fix is also relatively simple, requiring only two characters of code to be changed in Squid's FTP directory listing parser.

However, it's worth noting that the risk associated with this vulnerability is considered moderate by SUSE, with a CVSS score of 6.5. This means that while the bug can potentially lead to unauthorized access to sensitive information, the impact is limited to confidentiality and does not affect integrity or availability.

Key Facts

The Squidbleed vulnerability (CVE-2026-47729) was introduced in 1997 and has been present for nearly three decades.
The bug resides in Squid's FTP directory listing parser, specifically in code written to handle old NetWare FTP servers.
The vulnerability can be exploited by an authorized proxy user to retrieve fragments of another user's HTTP requests.
The fix is relatively simple, requiring only two characters of code to be changed in Squid's FTP directory listing parser.
Disabling FTP removes the attack surface entirely and is recommended as a mitigation strategy.

In conclusion, the Squidbleed vulnerability highlights the importance of regular security audits and updates in shared environments like schools, businesses, and public Wi-Fi networks. Adult-industry platforms and operators should take immediate action to patch or disable FTP to mitigate this vulnerability and protect sensitive information from unauthorized access.