SQUID-2023:10 Denial of Service in HTTP Request parsing
Description
Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
23- osv-coords21 versionspkg:rpm/almalinux/libecappkg:rpm/almalinux/libecap-develpkg:rpm/almalinux/squidpkg:rpm/opensuse/squid&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/squid&distro=openSUSE%20Tumbleweedpkg:rpm/suse/squid&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP5pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/squid&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/squid&distro=SUSE%20Manager%20Server%204.3
< 1.0.1-2.module_el8.6.0+2741+01592ae8+ 20 more
- (no CPE)range: < 1.0.1-2.module_el8.6.0+2741+01592ae8
- (no CPE)range: < 1.0.1-2.module_el8.6.0+2741+01592ae8
- (no CPE)range: < 7:4.15-7.module_el8.9.0+3749+dbf371ed.10
- (no CPE)range: < 5.7-150400.3.23.1
- (no CPE)range: < 6.6-2.1
- (no CPE)range: < 4.17-150000.5.49.1
- (no CPE)range: < 4.17-150000.5.49.1
- (no CPE)range: < 4.17-150000.5.49.1
- (no CPE)range: < 5.7-150400.3.23.1
- (no CPE)range: < 5.7-150400.3.23.1
- (no CPE)range: < 5.7-150400.3.23.1
- (no CPE)range: < 4.17-4.41.1
- (no CPE)range: < 4.17-150000.5.49.1
- (no CPE)range: < 4.17-150000.5.49.1
- (no CPE)range: < 5.7-150400.3.23.1
- (no CPE)range: < 4.17-4.41.1
- (no CPE)range: < 4.17-150000.5.49.1
- (no CPE)range: < 4.17-150000.5.49.1
- (no CPE)range: < 5.7-150400.3.23.1
- (no CPE)range: < 5.7-150400.3.23.1
- (no CPE)range: < 5.7-150400.3.23.1
- Range: >= 2.6, <= 2.7.STABLE9
Patches
Vulnerability mechanics
Root cause
"Unbounded indirect recursion in clientFollowXForwardedForCheck() when processing X-Forwarded-For header elements with follow_x_forwarded_for enabled."
Attack vector
A remote client sends an HTTP request containing an excessively large `X-Forwarded-For` header (thousands of addresses) to a Squid proxy that has the `follow_x_forwarded_for` directive configured. Each address in the header triggers an immediate `nonBlockingCheck()` callback, causing unbounded indirect recursion in `clientFollowXForwardedForCheck()`. This recursion exhausts the Squid process call stack, resulting in a Denial of Service (DoS) [ref_id=1][ref_id=2].
Affected code
The vulnerability resides in `src/client_side_request.cc` in the `clientFollowXForwardedForCheck()` function. When the `follow_x_forwarded_for` feature is enabled, each X-Forwarded-For element triggers a recursive call via `nonBlockingCheck()`, with no bound on recursion depth. The patch introduces a hop counter (`currentXffHopNumber`) and a hard limit (`SQUID_X_FORWARDED_FOR_HOP_MAX`, default 64) in `src/ClientRequestContext.h` to break the recursion [ref_id=1][ref_id=2].
What the fix does
The patch introduces a per-request hop counter (`currentXffHopNumber`) and a compile-time limit (`SQUID_X_FORWARDED_FOR_HOP_MAX`, default 64). Before each recursive call to `nonBlockingCheck()`, the counter is incremented and compared against the limit. Once the limit is reached, Squid logs a critical error and falls through to resume normal processing instead of recursing further, preventing stack exhaustion [ref_id=1][ref_id=2].
Preconditions
- configThe follow_x_forwarded_for directive must be configured in Squid's configuration.
- networkThe attacker must be able to send HTTP requests to the Squid proxy.
- inputThe X-Forwarded-For header must contain more than 64 addresses (or the configured SQUID_X_FORWARDED_FOR_HOP_MAX limit).
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- www.squid-cache.org/Versions/v5/SQUID-2023_10.patchmitrex_refsource_MISC
- www.squid-cache.org/Versions/v6/SQUID-2023_10.patchmitrex_refsource_MISC
- github.com/squid-cache/squid/security/advisories/GHSA-wgq4-4cfg-c4x3mitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2024/01/msg00003.htmlmitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/mitre
- security.netapp.com/advisory/ntap-20240119-0005/mitre
News mentions
0No linked articles in our index yet.