SQUID-2021:8 Denial of Service in Gopher gateway
Description
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1. Responses triggering this bug are possible to be received from any gopher server, even those without malicious intent. Gopher support has been removed in Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should reject all gopher URL requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
22- osv-coords20 versionspkg:rpm/almalinux/libecappkg:rpm/almalinux/libecap-develpkg:rpm/almalinux/squidpkg:rpm/opensuse/squid&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/squid&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/squid&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP4pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP5pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3
< 1.0.1-2.module_el8.6.0+2741+01592ae8+ 19 more
- (no CPE)range: < 1.0.1-2.module_el8.6.0+2741+01592ae8
- (no CPE)range: < 1.0.1-2.module_el8.6.0+2741+01592ae8
- (no CPE)range: < 7:4.15-7.module_el8.9.0+3708+6acaac63.5
- (no CPE)range: < 5.7-150400.3.15.1
- (no CPE)range: < 5.7-150400.3.15.1
- (no CPE)range: < 4.17-150000.5.41.1
- (no CPE)range: < 4.17-150000.5.41.1
- (no CPE)range: < 4.17-150000.5.41.1
- (no CPE)range: < 4.17-150000.5.41.1
- (no CPE)range: < 4.17-150000.5.41.1
- (no CPE)range: < 5.7-150400.3.15.1
- (no CPE)range: < 5.7-150400.3.15.1
- (no CPE)range: < 4.17-4.33.1
- (no CPE)range: < 4.17-150000.5.41.1
- (no CPE)range: < 4.17-150000.5.41.1
- (no CPE)range: < 4.17-150000.5.41.1
- (no CPE)range: < 4.17-4.33.1
- (no CPE)range: < 4.17-150000.5.41.1
- (no CPE)range: < 4.17-150000.5.41.1
- (no CPE)range: < 4.17-150000.5.41.1
- Range: < 6.0.1
Patches
Vulnerability mechanics
Root cause
"NULL pointer dereference in Squid's Gopher gateway code causes a denial of service."
Attack vector
An attacker can trigger a NULL pointer dereference by sending a crafted Gopher request to a vulnerable Squid proxy. The gopher protocol is always enabled by default in affected versions. Responses causing this bug can originate from any gopher server, even benign ones, making the attack trivially exploitable without special privileges.
Affected code
The commit removes all Gopher protocol support from Squid, including documentation references and translation strings. The vulnerability resides in Squid's Gopher gateway code, which is present in all versions prior to 6.0.1.
What the fix does
The patch removes all Gopher protocol support from Squid entirely, eliminating the vulnerable code path. By deleting the Gopher gateway implementation, the NULL pointer dereference bug can no longer be reached. Users unable to upgrade are advised to reject all gopher URL requests as a workaround.
Preconditions
- configSquid must have the gopher protocol enabled (default in versions prior to 6.0.1)
- networkAttacker must be able to send a request to the Squid proxy that triggers the Gopher gateway
Generated on Jun 13, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/squid-cache/squid/commit/6ea12e8fb590ac6959e9356a81aa3370576568c3mitrex_refsource_MISC
- github.com/squid-cache/squid/security/advisories/GHSA-cg5h-v6vc-w33fmitrex_refsource_CONFIRM
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/mitre
- security.netapp.com/advisory/ntap-20231214-0006/mitre
News mentions
0No linked articles in our index yet.