CVE-2025-54574

NameCVE-2025-54574
DescriptionSquid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management. This has been fixed in version 6.4. To work around this issue, disable URN access permissions.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5982-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
squid (PTS)bullseye4.13-10+deb11u3vulnerable
bullseye (security)4.13-10+deb11u4vulnerable
bookworm, bookworm (security)5.7-2+deb12u3fixed
trixie6.13-2fixed
forky, sid7.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
squidsourcebookworm5.7-2+deb12u3DSA-5982-1
squidsource(unstable)6.5-1

Notes

https://github.com/squid-cache/squid/security/advisories/GHSA-w4gv-vw3f-29g3
https://github.com/squid-cache/squid/commit/a27bf4b84da23594150c7a86a23435df0b35b988 (SQUID_6_4)
Included in set of fixes for CVE-2023-5824
Search for package or bug name: Reporting problems