Denial of Service in HTTP Header parser in squid proxy
Description
Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version 6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5. There are no known workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
23- osv-coords21 versionspkg:rpm/almalinux/libecappkg:rpm/almalinux/libecap-develpkg:rpm/almalinux/squidpkg:rpm/opensuse/squid&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/squid&distro=openSUSE%20Tumbleweedpkg:rpm/suse/squid&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP5pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/squid&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/squid&distro=SUSE%20Manager%20Server%204.3
< 1.0.1-2.module_el8.6.0+2741+01592ae8+ 20 more
- (no CPE)range: < 1.0.1-2.module_el8.6.0+2741+01592ae8
- (no CPE)range: < 1.0.1-2.module_el8.6.0+2741+01592ae8
- (no CPE)range: < 7:4.15-7.module_el8.9.0+3749+dbf371ed.10
- (no CPE)range: < 5.7-150400.3.26.1
- (no CPE)range: < 6.8-1.1
- (no CPE)range: < 4.17-150000.5.52.1
- (no CPE)range: < 4.17-150000.5.52.1
- (no CPE)range: < 4.17-150000.5.52.1
- (no CPE)range: < 5.7-150400.3.26.1
- (no CPE)range: < 5.7-150400.3.26.1
- (no CPE)range: < 5.7-150400.3.26.1
- (no CPE)range: < 4.17-4.44.1
- (no CPE)range: < 4.17-150000.5.52.1
- (no CPE)range: < 4.17-150000.5.52.1
- (no CPE)range: < 5.7-150400.3.26.1
- (no CPE)range: < 4.17-4.44.1
- (no CPE)range: < 4.17-150000.5.52.1
- (no CPE)range: < 4.17-150000.5.52.1
- (no CPE)range: < 5.7-150400.3.26.1
- (no CPE)range: < 5.7-150400.3.26.1
- (no CPE)range: < 5.7-150400.3.26.1
- Range: < 6.5
Patches
Vulnerability mechanics
Root cause
"A Collapse of Data into Unsafe Value bug allows for Denial of Service when handling oversized HTTP headers."
Attack vector
A remote client or server can trigger a Denial of Service by sending oversized headers in HTTP messages. This is particularly effective if the `request_header_max_size` or `reply_header_max_size` settings are not changed from their default values in Squid versions prior to 6.5. In version 6.5 and later, the default settings are safe, but the application will still emit a warning if an administrator configures these parameters to unsafe values.
Affected code
The vulnerability lies within the HTTP header parsing logic in Squid. Specifically, the configuration parameters `request_header_max_size` and `reply_header_max_size` are involved. The patch modifies the `configDoConfigure` function to include checks and warnings for these header size limits [ref_id=1].
What the fix does
The patch introduces checks to warn administrators if `request_header_max_size` or `reply_header_max_size` are set to values that exceed a calculated safe limit, which is approximately one-third of the maximum String size. This limit is intended to mitigate the risk of Denial of Service attacks related to oversized headers. While the warning is emitted, the application does not prevent the configuration of these unsafe values at this time [ref_id=1].
Preconditions
- configIn versions prior to 6.5, the `request_header_max_size` or `reply_header_max_size` settings must be at their default values for the vulnerability to be easily exploitable. In 6.5 and later, the defaults are safe, but administrators can still configure unsafe values.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/squid-cache/squid/commit/72a3bbd5e431597c3fdb56d752bc56b010ba3817mitrex_refsource_MISC
- github.com/squid-cache/squid/security/advisories/GHSA-h5x6-w8mv-xfprmitrex_refsource_CONFIRM
- security.netapp.com/advisory/ntap-20240322-0006/mitre
News mentions
0No linked articles in our index yet.