CVE-2024-25617 Overview
CVE-2024-25617 is a denial of service vulnerability in Squid, an open source caching proxy supporting HTTP, HTTPS, FTP, and other protocols. The flaw stems from a Collapse of Data into Unsafe Value bug [CWE-182] in HTTP header parsing. A remote client or remote server can trigger the condition by sending oversized headers in HTTP messages. Versions prior to Squid 6.5 are exposed when request_header_max_size or reply_header_max_size retain their default values. The issue is also tracked as SQUID-2024:2 and affects downstream products including NetApp BlueXP.
Critical Impact
Unauthenticated remote attackers can crash Squid proxy instances by sending oversized HTTP headers, disrupting all proxied traffic for downstream users.
Affected Products
- Squid versions prior to 6.5
- NetApp BlueXP
- Any deployment using default request_header_max_size or reply_header_max_size settings
Discovery Timeline
- 2024-02-14 - CVE-2024-25617 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-25617
Vulnerability Analysis
The vulnerability resides in Squid's HTTP header parsing logic. When Squid processes inbound HTTP messages, it allocates buffers sized according to the request_header_max_size and reply_header_max_size configuration directives. Oversized headers trigger a Collapse of Data into Unsafe Value condition, causing the proxy process to terminate or become unresponsive. Both client-to-proxy and server-to-proxy traffic paths are affected, meaning any malicious endpoint in the communication chain can disrupt service.
Root Cause
The root cause is improper handling of boundary conditions during header collapse operations, classified as [CWE-182]. Squid's default configuration in versions before 6.5 set these size limits to values that allowed exploitation. In version 6.5, the defaults were changed to safe values, and a critical warning is emitted to cache.log when administrators configure unsafe values. However, Squid does not block administrators from setting unsafe values.
Attack Vector
The attack requires no authentication or user interaction. A remote attacker sends a single HTTP request or response containing headers exceeding the configured maximum size. The proxy attempts to parse the oversized header, triggering the unsafe data collapse and producing a denial of service. The EPSS score of 88.864% reflects active interest in exploiting this issue across exposed Squid instances on the internet.
No verified public proof-of-concept code is referenced in the advisory. See the GitHub Security Advisory GHSA-h5x6-w8mv-xfpr for vendor technical detail.
Detection Methods for CVE-2024-25617
Indicators of Compromise
- Repeated Squid worker process crashes or restarts logged in cache.log
- HTTP requests or responses containing header sections larger than typical client or server output
- Critical warning messages in cache.log indicating unsafe request_header_max_size or reply_header_max_size configuration
- Sudden spikes in proxy unavailability or connection failures from downstream clients
Detection Strategies
- Monitor Squid cache.log for unexpected process termination and parser warnings
- Inspect HTTP traffic at the network perimeter for abnormally large header payloads
- Correlate proxy availability metrics with inbound request size distributions
- Audit Squid configuration files for request_header_max_size and reply_header_max_size values that deviate from safe defaults
Monitoring Recommendations
- Forward cache.log and access.log to a centralized logging platform for alerting on crash patterns
- Track HTTP request and response header byte counts in network telemetry
- Alert on Squid service restarts and worker process exits exceeding baseline frequency
- Review NetApp BlueXP vendor notifications for embedded Squid component status
How to Mitigate CVE-2024-25617
Immediate Actions Required
- Upgrade Squid to version 6.5 or later where default header size settings are safe
- Audit existing squid.conf for explicit request_header_max_size and reply_header_max_size values and remove or reduce unsafe overrides
- Apply vendor patches for downstream products such as NetApp BlueXP per the NetApp Security Advisory
- Restrict exposure of Squid management and proxy ports to trusted networks where possible
Patch Information
The fix is delivered in Squid 6.5 and is implemented in upstream commit 72a3bbd5e431597c3fdb56d752bc56b010ba3817. NetApp has issued advisory NTAP-20240322-0006 covering BlueXP. The advisory states there are no known workarounds, making the upgrade the only complete remediation.
Workarounds
- No vendor-supported workaround exists; upgrading to Squid 6.5 or later is required
- As a partial hardening measure, ensure request_header_max_size and reply_header_max_size are not configured to unsafe values and review cache.log for the critical warning emitted by Squid 6.5 when unsafe values are detected
# Configuration example: verify safe header size settings in squid.conf
grep -E 'request_header_max_size|reply_header_max_size' /etc/squid/squid.conf
# Confirm running version is 6.5 or later
squid -v | head -n 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

