CVE-2021-33620
Description
Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
29- Squid/Squiddescription
- osv-coords27 versionspkg:rpm/almalinux/libecappkg:rpm/almalinux/libecap-develpkg:rpm/almalinux/squidpkg:rpm/opensuse/squid&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/squid&distro=openSUSE%20Tumbleweedpkg:rpm/suse/squid&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/squid&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP3pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/squid&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/squid&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/squid&distro=SUSE%20Manager%20Server%204.1
< 1.0.1-2.module_el8.6.0+2741+01592ae8+ 26 more
- (no CPE)range: < 1.0.1-2.module_el8.6.0+2741+01592ae8
- (no CPE)range: < 1.0.1-2.module_el8.6.0+2741+01592ae8
- (no CPE)range: < 7:4.15-3.module_el8.6.0+3010+383bc947.1
- (no CPE)range: < 4.17-150000.5.32.1
- (no CPE)range: < 5.4.1-2.1
- (no CPE)range: < 4.17-150000.5.32.1
- (no CPE)range: < 4.17-150000.5.32.1
- (no CPE)range: < 4.17-150000.5.32.1
- (no CPE)range: < 4.17-150000.5.32.1
- (no CPE)range: < 4.17-150000.5.32.1
- (no CPE)range: < 4.17-150000.5.32.1
- (no CPE)range: < 4.17-150000.5.32.1
- (no CPE)range: < 4.17-150000.5.32.1
- (no CPE)range: < 4.17-150000.5.32.1
- (no CPE)range: < 4.17-4.24.1
- (no CPE)range: < 4.17-150000.5.32.1
- (no CPE)range: < 4.17-150000.5.32.1
- (no CPE)range: < 4.17-150000.5.32.1
- (no CPE)range: < 4.17-150000.5.32.1
- (no CPE)range: < 4.17-150000.5.32.1
- (no CPE)range: < 4.17-4.24.1
- (no CPE)range: < 4.17-150000.5.32.1
- (no CPE)range: < 4.17-150000.5.32.1
- (no CPE)range: < 4.17-150000.5.32.1
- (no CPE)range: < 4.17-150000.5.32.1
- (no CPE)range: < 4.17-150000.5.32.1
- (no CPE)range: < 4.17-150000.5.32.1
Patches
Vulnerability mechanics
Root cause
"Crash in Content-Range response header parsing logic allows a remote server to cause a denial of service."
Attack vector
A remote server sends an HTTP response containing a crafted Content-Range header to a Squid proxy. The Squid proxy processes this header in a way that triggers a crash, causing a denial of service that affects availability to all clients using that proxy instance [ref_id=1]. The advisory notes the trigger is a header that can be expected to exist in normal HTTP traffic without malicious intent by the server [ref_id=1].
Affected code
The advisory lists "Crash in Content-Range Response Header Logic CVE-2021-33620" as one of the 55 vulnerabilities found in the Squid security audit [ref_id=1]. No specific function names or file paths are provided in the reference.
What the fix does
The advisory does not include a patch or detailed remediation guidance. The Squid Project was made aware of the issues but after two and a half years the researcher released them publicly [ref_id=1]. The fix would require correcting the Content-Range response header parsing logic to properly validate and handle edge cases that currently cause a crash.
Preconditions
- configThe Squid proxy must be configured to forward HTTP responses (default behavior).
- networkA remote server (or an attacker controlling a server the client connects to) sends an HTTP response with a crafted Content-Range header.
- authNo authentication or special privileges are required for the attacker; the malicious response is delivered during normal proxied traffic.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/mitrevendor-advisory
- seclists.org/fulldisclosure/2023/Oct/14mitremailing-list
- www.openwall.com/lists/oss-security/2023/10/11/3mitremailing-list
- lists.debian.org/debian-lts-announce/2021/06/msg00014.htmlmitremailing-list
- www.squid-cache.org/Versions/v4/changesets/squid-4-1e05a85bd28c22c9ca5d3ac9f5e86d6269ec0a8c.patchmitre
- www.squid-cache.org/Versions/v5/changesets/squid-5-8af775ed98bfd610f9ce762fe177e01b2675588c.patchmitre
- github.com/squid-cache/squid/security/advisories/GHSA-572g-rvwr-6c7fmitre
News mentions
0No linked articles in our index yet.