{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-54574", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-07-25T16:19:16.091Z", "datePublished": "2025-08-01T18:02:19.117Z", "dateUpdated": "2025-11-05T17:04:21.087Z"}, "containers": {"cna": {"title": "Squid's URN Handling can lead to Buffer Overflow", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "lang": "en", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/squid-cache/squid/security/advisories/GHSA-w4gv-vw3f-29g3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-w4gv-vw3f-29g3"}, {"name": "https://github.com/squid-cache/squid/commit/a27bf4b84da23594150c7a86a23435df0b35b988", "tags": ["x_refsource_MISC"], "url": "https://github.com/squid-cache/squid/commit/a27bf4b84da23594150c7a86a23435df0b35b988"}, {"name": "https://github.com/squid-cache/squid/releases/tag/SQUID_6_4", "tags": ["x_refsource_MISC"], "url": "https://github.com/squid-cache/squid/releases/tag/SQUID_6_4"}], "affected": [{"vendor": "squid-cache", "product": "squid", "versions": [{"version": "< 6.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-01T18:02:19.117Z"}, "descriptions": [{"lang": "en", "value": "Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management. This has been fixed in version 6.4. To work around this issue, disable URN access permissions."}], "source": {"advisory": "GHSA-w4gv-vw3f-29g3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-01T18:43:36.203492Z", "id": "CVE-2025-54574", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-01T18:43:46.346Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00027.html"}, {"url": "http://www.openwall.com/lists/oss-security/2025/11/05/5"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-05T17:04:21.087Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00027.html"}, {"url": "http://www.openwall.com/lists/oss-security/2025/11/05/5"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-05T17:04:21.087Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-54574", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-01T18:43:36.203492Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-01T18:43:38.829Z"}}], "cna": {"title": "Squid's URN Handling can lead to Buffer Overflow", "source": {"advisory": "GHSA-w4gv-vw3f-29g3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "squid-cache", "product": "squid", "versions": [{"status": "affected", "version": "< 6.4"}]}], "references": [{"url": "https://github.com/squid-cache/squid/security/advisories/GHSA-w4gv-vw3f-29g3", "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-w4gv-vw3f-29g3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/squid-cache/squid/commit/a27bf4b84da23594150c7a86a23435df0b35b988", "name": "https://github.com/squid-cache/squid/commit/a27bf4b84da23594150c7a86a23435df0b35b988", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/squid-cache/squid/releases/tag/SQUID_6_4", "name": "https://github.com/squid-cache/squid/releases/tag/SQUID_6_4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management. This has been fixed in version 6.4. To work around this issue, disable URN access permissions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-01T18:02:19.117Z"}}}, "cveMetadata": {"cveId": "CVE-2025-54574", "state": "PUBLISHED", "dateUpdated": "2025-11-05T17:04:21.087Z", "dateReserved": "2025-07-25T16:19:16.091Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-08-01T18:02:19.117Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*", "matchCriteriaId": "1D384D1F-2A05-4EE0-9CB8-C83FDC53F608", "versionEndExcluding": "6.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management. This has been fixed in version 6.4. To work around this issue, disable URN access permissions."}, {"lang": "es", "value": "Squid es un proxy de cach\u00e9 para la web. En las versiones 6.3 y anteriores, Squid es vulnerable a un desbordamiento del b\u00fafer de mont\u00f3n y a posibles ataques de ejecuci\u00f3n remota de c\u00f3digo al procesar URN debido a una gesti\u00f3n incorrecta del b\u00fafer. Esto se ha corregido en la versi\u00f3n 6.4. Para solucionar este problema, deshabilite los permisos de acceso a URN."}], "id": "CVE-2025-54574", "lastModified": "2025-11-05T17:15:43.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-08-01T18:15:55.390", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/squid-cache/squid/commit/a27bf4b84da23594150c7a86a23435df0b35b988"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/squid-cache/squid/releases/tag/SQUID_6_4"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-w4gv-vw3f-29g3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/11/05/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00027.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "squid-cache: Squid Buffer Overflow", "id": "2386026", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2386026"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "status": "draft"}, "cwe": "CWE-122", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Users may disable URN access permissions to mitigate this issue."}, "name": "CVE-2025-54574", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "squid34", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "squid:4/squid", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-08-01T18:02:19Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-54574\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-54574\nhttps://github.com/squid-cache/squid/commit/a27bf4b84da23594150c7a86a23435df0b35b988\nhttps://github.com/squid-cache/squid/releases/tag/SQUID_6_4\nhttps://github.com/squid-cache/squid/security/advisories/GHSA-w4gv-vw3f-29g3"], "threat_severity": "Important"}