Cyber Posture

CVE-2025-54574

Critical

Published: 01 August 2025

Published
01 August 2025
Modified
05 November 2025
KEV Added
Patch
CVSS Score 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H
EPSS Score 0.0390 88.4th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54574 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Squid-Cache Squid. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of flaws through patching Squid to version 6.4, directly addressing the heap buffer overflow vulnerability.

CM-7 Least Functionality good match
prevent

Implements least functionality by disabling unnecessary URN processing, matching the recommended workaround to block exploitation.

SI-10 Information Input Validation partial match
prevent

Validates URN inputs to prevent out-of-bounds writes and heap overflows from malformed requests.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Heap buffer overflow in public-facing Squid proxy enables unauthenticated remote exploitation for RCE/DoS, directly mapping to T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management. This has been fixed in…

more

version 6.4. To work around this issue, disable URN access permissions.

Deeper analysisAI

CVE-2025-54574 is a heap buffer overflow vulnerability in Squid, a caching proxy for the Web, affecting versions 6.3 and below. The flaw stems from incorrect buffer management when processing URN requests, potentially enabling remote code execution. It is associated with CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write), earning a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H).

Unauthenticated remote attackers with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation could result in high availability impact through denial of service, low integrity impact, and possible remote code execution on the affected Squid instance, given the scope change to untrusted scope.

The vulnerability is fixed in Squid version 6.4, as detailed in the GitHub commit a27bf4b84da23594150c7a86a23435df0b35b988 and release notes for SQUID_6_4. A recommended workaround is to disable URN access permissions. Additional guidance appears in the Squid security advisory GHSA-w4gv-vw3f-29g3, oss-security mailing list announcement, and Debian LTS advisory.

Details

CWE(s)
CWE-122CWE-787

Affected Products

squid-cache
squid
≤ 6.4

CVEs Like This One

CVE-2026-32748Same product: Squid-Cache Squid
CVE-2026-33526Same product: Squid-Cache Squid
CVE-2025-62168Same product: Squid-Cache Squid
CVE-2026-5187Shared CWE-122, CWE-787
CVE-2026-5450Shared CWE-122, CWE-787
CVE-2025-58447Shared CWE-122, CWE-787
CVE-2025-30216Shared CWE-122, CWE-787
CVE-2025-25249Shared CWE-122, CWE-787
CVE-2026-0793Shared CWE-122, CWE-787
CVE-2026-26284Shared CWE-122, CWE-787

References