CVE-2024-25111: Squid-cache Squid DoS Vulnerability

CVE-2024-25111 Overview

CVE-2024-25111 is a denial-of-service vulnerability in Squid, an open-source caching HTTP proxy widely deployed in front of web servers and inside enterprise networks. The flaw resides in the HTTP Chunked Transfer-Encoding decoder, which contains an uncontrolled recursion bug [CWE-674]. A remote, unauthenticated attacker can send a crafted chunked-encoded HTTP message that triggers excessive recursion, exhausting process resources and crashing the proxy. The issue affects Squid releases from 3.5.27 up to but not including 6.8, and is fixed in Squid 6.8. Downstream products that bundle Squid, including Fedora and NetApp BlueXP, are also affected.

Critical Impact

An unauthenticated remote attacker can repeatedly crash Squid proxies with a single malformed chunked HTTP request, disrupting all web traffic flowing through the affected gateway.

Affected Products

• Squid Cache squid versions 3.5.27 through 6.7
• Fedora 38 and Fedora 39 (Squid package)
• NetApp BlueXP

Discovery Timeline

• 2024-03-06 - CVE-2024-25111 published to NVD
• 2025-11-03 - Last updated in NVD database

Technical Details for CVE-2024-25111

Vulnerability Analysis

The vulnerability lives in Squid's HTTP/1.1 Chunked Transfer-Encoding parser. The parser uses a recursive routine to process chunked message bodies. When an attacker submits a chunked HTTP message constructed to extend the recursion path indefinitely, the call stack grows without bound. Squid eventually consumes the process stack and aborts, terminating the proxy worker.

Because Squid frequently runs as a forward or reverse proxy in front of internet-facing infrastructure, the attack surface is broad. A single request reaches the vulnerable parser before any authentication occurs, and repeated requests can keep the proxy in a continuous crash loop. The bug is tracked under [CWE-674: Uncontrolled Recursion].

Root Cause

The chunked decoder does not enforce a recursion depth limit or convert the recursion into bounded iteration. Crafted chunk framing causes the decoder to call itself far beyond safe limits. The upstream fix in Squid 6.8 rewrites the chunked-parsing logic so that nested or malformed chunk structures cannot drive unbounded stack growth.

Attack Vector

Exploitation requires only network access to the Squid listener. The attacker sends an HTTP message with Transfer-Encoding: chunked containing a crafted chunk sequence. No credentials, prior session, or user interaction are required. The result is a process abort that drops in-flight connections and denies service to all clients routed through the proxy.

No verified public proof-of-concept code is available. See the GitHub Security Advisory GHSA-72c2-c3wm-8qxc and the Squid Patch SQUID-2024_1 for upstream technical detail.

Detection Methods for CVE-2024-25111

Indicators of Compromise

• Unexpected Squid worker process crashes or restarts logged in cache.log with stack-related abort signals such as SIGSEGV or stack overflow messages.
• Spikes in HTTP requests carrying Transfer-Encoding: chunked from a small set of source IPs immediately preceding proxy failure.
• Sudden drop in proxied client sessions correlated with watchdog or systemd restarts of the squid service.

Detection Strategies

• Inspect Squid access.log and cache.log for repeated abnormal terminations followed by automatic worker respawn within short time windows.
• Deploy network IDS or WAF rules that flag malformed chunked encoding, oversized chunk-extension fields, and abnormal nesting in HTTP request bodies destined for the proxy.
• Correlate proxy availability metrics with inbound HTTP request anomalies to detect crash-loop patterns.

Monitoring Recommendations

• Alert on Squid process restart counts exceeding a baseline threshold per hour.
• Monitor Transfer-Encoding: chunked request volume and source distribution at the perimeter.
• Track CPU, memory, and stack usage of the squid process to catch resource anomalies before a crash.

How to Mitigate CVE-2024-25111

Immediate Actions Required

• Upgrade Squid to version 6.8 or later on all affected hosts.
• For stable branches that cannot be upgraded immediately, apply the official patch from the Squid patch archive.
• Restrict exposure of the Squid listener to trusted networks where business requirements allow, reducing the unauthenticated attack surface.
• For bundled distributions, update via the Fedora package announcement, the Debian LTS announcement, and the NetApp Security Advisory NTAP-20240605-0001.

Patch Information

The upstream fix is included in Squid 6.8. Maintainers also provide backport patches for older stable releases through the Squid patch archive and the GitHub Security Advisory GHSA-72c2-c3wm-8qxc. Downstream vendors have shipped corresponding package updates for Fedora 38, Fedora 39, Debian LTS, and NetApp BlueXP.

Workarounds

• No vendor-supplied workaround exists. The Squid maintainers explicitly state there is no configuration mitigation, so patching or upgrading is required.
• As a temporary risk reduction, place an upstream HTTP filter or reverse proxy that strictly validates Transfer-Encoding: chunked framing in front of Squid until the upgrade is applied.

# Verify installed Squid version and upgrade on Debian/Ubuntu
squid -v | head -n 1
sudo apt update && sudo apt install --only-upgrade squid

# Verify installed Squid version and upgrade on Fedora
rpm -q squid
sudo dnf upgrade --refresh squid

# Confirm patched version is 6.8 or later
squid -v | grep -E 'Version (6\.([89]|[1-9][0-9])|[7-9]|[1-9][0-9])'