Cyber Resilience

CVE-2025-54574

Critical

Published: 01 August 2025

Published
01 August 2025
Modified
05 November 2025
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H
EPSS Score 0.1987 95.6th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54574 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Squid-Cache Squid. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

Squid, a widely used caching proxy for the Web, contains a heap buffer overflow vulnerability in versions 6.3 and earlier that stems from incorrect buffer management during URN processing. The flaw is tracked as CVE-2025-54574 and carries a CVSS 3.1 score of 9.3, reflecting network-accessible attack vectors with low complexity and no required authentication. It has been corrected in release 6.4.

An unauthenticated remote attacker can supply a crafted URN that triggers the overflow, resulting in a heap corruption condition that may be leveraged for remote code execution or at least denial-of-service and limited integrity impact with changed scope.

Official sources, including the Squid GitHub security advisory GHSA-w4gv-vw3f-29g3, the 6.4 release notes, and distribution lists such as Debian LTS and oss-security, confirm the patch and recommend disabling URN access permissions as an immediate workaround until upgrades can be applied. The associated EPSS score remains flat at 0.0932 with no observed upward trajectory after disclosure.

EU & UK References

Vulnerability details

Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management. This has been fixed in…

more

version 6.4. To work around this issue, disable URN access permissions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Heap buffer overflow in public-facing Squid proxy enables unauthenticated remote exploitation for RCE/DoS, directly mapping to T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32748Same product: Squid-Cache Squid
CVE-2025-62168Same product: Squid-Cache Squid
CVE-2026-33526Same product: Squid-Cache Squid
CVE-2026-5187Shared CWE-122, CWE-787
CVE-2025-25249Shared CWE-122, CWE-787
CVE-2026-5450Shared CWE-122, CWE-787
CVE-2025-30216Shared CWE-122, CWE-787
CVE-2025-58447Shared CWE-122, CWE-787
CVE-2026-0793Shared CWE-122, CWE-787
CVE-2025-1538Shared CWE-122, CWE-787

Affected Assets

squid-cache
squid
≤ 6.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of flaws through patching Squid to version 6.4, directly addressing the heap buffer overflow vulnerability.

prevent

Implements least functionality by disabling unnecessary URN processing, matching the recommended workaround to block exploitation.

prevent

Validates URN inputs to prevent out-of-bounds writes and heap overflows from malformed requests.

References