RSS

Squidbleed (CVE-2026-47729)

quyleanh2 pts0 comments

Squidbleed (CVE-2026-47729) - Calif

Calif

SubscribeSign in

Squidbleed (CVE-2026-47729)<br>Heartbleed's ancient cousin, hiding in Squid since 1997.<br>Jun 18, 2026

Share

Two weeks ago, we dropped an HTTP/2 bomb cooked up by Codex Cyber. This time, we sent Claude Mythos Preview spelunking through Squid’s guts, and it surfaced clutching a 29-year-old bug.<br>Meet Squidbleed : a Heartbleed-style vulnerability that leaks internal memory from every version of Squid Proxy, in its default configuration.

This bug is a whirlwind tour of old-school Internet lore. It involves FTP, NetWare, and DJB, names that only the most diehard Internet fans will recognize.<br>It comes down to a few of C's favorite footguns: null-terminated strings, pointer arithmetic, and a weird strchr edge case. Mix these ingredients into an open-source web proxy, and you get a heap buffer overread that quietly leaks random users' HTTP requests, despite three decades of releases, audits, and rewrites.<br>One caveat: the impact is situational. Most traffic is HTTPS, which the proxy relays as an opaque CONNECT tunnel, so only cleartext HTTP and TLS-terminating setups are exposed. The proxy must also be allowed to reach an attacker-controlled FTP server (TCP port 21).<br>A tip of the hat to Anthropic, our partner-in-crime on the quest to make open-source software a little more secure.<br>The Target: Squid Proxy

Squid is a widely deployed multipurpose web proxy. While it was designed to speed up page loads by caching frequently accessed content, it can also be used for traffic interception, monitoring, and filtering.<br>Thus, Squid is often found in multi-user environments such as schools or corporate networks. In fact, I encountered Squid while attempting to access the Internet on a recent flight:

As you might expect, the version of Squid deployed on that plane was released nearly 10 years ago and is affected by the vulnerability I'm about to share with you.<br>FTP: Finicky To Parse

While HTTP forms the majority of web traffic, Squid also supports FTP (File Transfer Protocol, a legacy protocol for moving files between machines) by default.<br>When connecting to an FTP server via Squid, a nice HTML file listing is helpfully generated:

Unfortunately for Squid, FTP doesn't have a standardized machine-readable file listing format. Instead, the FTP LIST command typically returns something that sort of looks like the output from ls -l:<br>-rw-r--r-- 1 1000 1000 40 May 20 04:17 hello.txt<br>-rw-r--r-- 1 1000 1000 21 May 20 04:17 readme.txt

This poorly-specified textual format is notoriously hard to parse, especially while staying compatible with every FTP server on the Internet. One of our Internet heroes, DJB, wrote about it too, calling the format hard to parse with even moderate reliability. And when DJB says something is hard, you know it really is.<br>It is thus no surprise that when I asked Claude Mythos Preview to:<br>Spawn more agents to investigate the full [FTP] state machine behavior better

one of the first bugs it found was in Squid's FTP directory listing parser.<br>Searching for NULL

The bug predates all available commit history in Squid's GitHub repo.<br>Commit bb97dd37a, created on Jan 18, 1997, includes the following changelog entry:<br>Fixed ftpget to recognize 'NetWare' servers and skip whitespace before filenames.

NetWare was a network operating system, wildly popular in the late 80s and 90s for running corporate file and print servers, and its bundled FTP service was a common way to move files on and off those machines.<br>This was necessary as NetWare FTP servers output 4 spaces between the modification timestamp and the filename:<br>d [R----F--] supervisor 512 Jan 16 18:53 login<br>- [R----F--] rhesus 214059 Oct 20 15:27 cx.exe

This was contrary to the behavior of most other FTP servers, which used just a single space.<br>With that historical context in mind, let's have a look at the modern implementation of that fix, nearly 30 years on:<br>// from compat/compat_shared.h<br>#define w_space " \t\n\r"

copyFrom = buf + tokens[i + 2].pos + strlen(tokens[i + 2].token);<br>if (flags.skip_whitespace) {<br>while (strchr(w_space, *copyFrom))<br>++copyFrom;<br>} else {<br>/* Handle the following four formats:<br>* "MMM DD YYYY Name"<br>* "MMM DD YYYYName"<br>* "MMM DD YYYY Name"<br>* "MMM DD YYYY Name"<br>* Assuming a single space between date and filename<br>* suggested by: Nathan.Bailey@cc.monash.edu.au and<br>* Mike Battersby */<br>if (strchr(w_space, *copyFrom))<br>++copyFrom;<br>p->name = xstrdup(copyFrom);

After parsing the timestamp, copyFrom points to the first byte after it. If the FTP server's banner contains "NetWare", flags.skip_whitespace is set, and the while(strchr(w_space, *copyFrom)) loop skips past the extra whitespace.<br>Once copyFrom lands on the first non-whitespace byte, xstrdup copies it out as the filename. Looks correct, right?

It seemed like the perfect application of the C pointer arithmetic they teach in school.<br>But Claude Mythos Preview thought otherwise.<br>Confirmed. strchr(w_space, '\0') returns non-NULL per...

squid copyfrom proxy while internet netware

Related Articles

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

German ruling declares Google liable for false answers in AI Overviews

ahlCVA15 ptsgoogle court search overviews content users

Britain Became as Poor as Mississippi

SanjayMehta15 ptsbritain mississippi next financial crisis self
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.