If you run a shared Squid proxy, assume someone could have read your users' HTTP requests in cleartext. That is the blunt version of Squidbleed, tracked as CVE-2026-47729 and disclosed by Calif.io in June 2026. It is a Heartbleed-style memory disclosure that has shipped in Squid's default configuration since 1997, and the trigger is depressingly cheap: a malformed FTP directory listing from a server the proxy is willing to talk to.
The naming homage is earned. Like Heartbleed, this bug hands an attacker chunks of process memory that were never meant to leave the machine, and like Heartbleed, the worst part is not the exploit, it is the dwell time. This code has been live for roughly 29 years across audits, rewrites, and countless package builds. Nobody caught it until an AI-assisted review went looking.
What actually leaks, and to whom
Squidbleed is a heap buffer overread in Squid's FTP directory-listing parser. When Squid fetches an FTP listing through the proxy, it walks the response to format a browsable directory page. A malformed listing, specifically one missing a filename where the parser expects one, drives a copy loop past the end of its buffer. The data sitting in adjacent memory gets copied into the output the attacker receives.
What sits in that adjacent memory matters. Squid recycles fixed-size buffers (the MEM_4K_BUF pool) across requests, so the bytes you get back are frequently the remains of other users' HTTP requests: URLs, cookies, Authorization headers, API keys, session tokens. According to the public writeup, that is exactly the kind of data observed leaking.
The important scoping detail: most modern traffic is HTTPS, which Squid relays as an opaque CONNECT tunnel it cannot see into. So the exposure is real but bounded. It hits cleartext HTTP and any setup where the proxy terminates TLS. The environments most at risk are the ones where many people share one Squid instance and trust it to keep their traffic separate: corporate egress proxies, university networks, and public Wi-Fi gateways. In those settings, one malicious user pulling memory out of the shared process is reading their neighbors' sessions.
The 1997 one-liner
The root cause is almost insultingly small. Calif.io traced it to commit bb97dd37a from January 18, 1997, a compatibility fix for NetWare FTP servers. The parser uses strchr(w_space, *copyFrom) to skip whitespace while walking the listing. The trap is a C standard detail that almost everyone forgets: strchr includes the null terminator in its search. Searching a string for the byte '\0' succeeds, because the terminator is part of the string by definition. So when *copyFrom is the end-of-string null byte, strchr returns non-NULL, the loop concludes there is more whitespace to skip, and the pointer marches off the end of the buffer.
The fix is one extra condition: check for the null byte before consulting strchr, something like while (*copyFrom && strchr(w_space, *copyFrom)). That is the entire patch. Decades of severity reduced to a missing two-character guard.
It is worth sitting with how ordinary this mistake is. There is nothing exotic here. No race condition, no clever heap grooming required to find the bug itself, no obscure protocol corner. It is a misread of one library function's contract, written by someone solving a real interoperability problem in 1997, and it survived because nothing ever forced a re-examination of that code path.
Why ancient defaults linger
The technical bug is half the story. The other half is why it was reachable at all, and that is a configuration story.
Exploitation requires the proxy to connect to an attacker-controlled FTP server on TCP port 21. In a hardened world that would be a meaningful barrier. In the real world it is not, because Squid ships FTP support enabled and port 21 sits in the default Safe_ports ACL. No flags, no edits, no non-default settings. Out of the box, a Squid proxy will happily fetch FTP for a user, which means a user can point it at their own malicious FTP server and start harvesting memory.
This is the recurring pattern with long-lived infrastructure software. Defaults are written once, in the context of their era, and then they calcify. FTP was a sensible thing for a 1990s web proxy to support; the web ran on it. Thirty years later almost nobody proxies FTP, but the support is still on, still in the safe-ports list, still part of the attack surface of every default install. The default never got revisited because revisiting defaults breaks people's setups, and "it has always been this way" is a powerful force in widely deployed software.
The supply-chain angle is the same shape. Squid is not a dependency you npm install; it is a transitive part of your infrastructure, baked into base images, appliances, and managed services. An AIBOM or SBOM that only tracks application libraries will not surface a Squid binary lurking in a network appliance's firmware or a container you inherited. The vulnerable code can be three layers removed from anything your team wrote, which is precisely why a 29-year-old default can still be sitting in production today.
Timeline and patch status
The disclosure timeline is clean, and credit where due: Calif.io reported the issue to Squid privately on April 17, 2026, with public disclosure on June 10, 2026, giving the maintainers a real coordination window. The discovery itself reportedly came out of an AI-assisted code review, as part of broader work to find latent bugs in widely used open-source software.
The fix landed in the Squid v7 and v8 branches around mid-May 2026. On the exact release that carries it, reporting initially pointed at v7.6 (released June 8, 2026), but a Squid maintainer subsequently corrected the record on the oss-security list to indicate the fix ships in a later 7.x release. Treat the precise version label with care and confirm against the official Squid advisory for your branch before you certify yourself patched.
I have not seen a published CVSS score I would stand behind, so I am not going to invent one. The honest characterization is high-impact information disclosure with a real but non-trivial precondition (the proxy must reach an attacker FTP server). In a multi-tenant proxy that precondition is usually satisfied by default, which is what makes this more than academic.
How to remediate
In rough priority order:
- Patch. Upgrade to a Squid release that carries the null-check fix, and verify the version against the official Squid security advisory rather than third-party summaries.
- Kill FTP if you do not need it. This is the strongest mitigation and most of you do not proxy FTP. Disable FTP handling and remove port 21 from the
Safe_portsACL. That closes the trigger regardless of patch state. - Constrain outbound reachability. If the proxy cannot open arbitrary outbound port 21 connections to the internet, the attacker cannot host the malicious FTP server it needs.
- Hunt for shadow Squid. Inventory where Squid actually runs, including appliances, base images, and managed services where it is an implementation detail you did not choose. The instance you forgot about is the one that bites you.
- Rotate exposed secrets if you operated a shared or TLS-terminating proxy and cannot rule out exploitation. Session tokens and API keys that transited a vulnerable instance should be treated as potentially leaked.
How Safeguard Helps
Squidbleed is the kind of finding that hides where most tooling does not look: deep in transitive infrastructure, behind a default nobody revisits. Safeguard's AIBOM and ML-BOM inventory surface components like Squid wherever they appear in your images and supply chain, and our policy gates and vendor scorecards let you act on a default-config risk instead of just noting the CVE. The detection model that surfaces a bug like this is just one component; the reliability lives in the verification and orchestration layer above it, where our multi-agent engine cross-checks findings to cut false positives. It is model-agnostic by design, so different underlying models plug in as interchangeable parts. If you want to know whether a vulnerable Squid is sitting in your stack, reach out.