CVE-2025-54574
Published: 01 August 2025
Summary
CVE-2025-54574 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Squid-Cache Squid. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
Squid, a widely used caching proxy for the Web, contains a heap buffer overflow vulnerability in versions 6.3 and earlier that stems from incorrect buffer management during URN processing. The flaw is tracked as CVE-2025-54574 and carries a CVSS 3.1 score of 9.3, reflecting network-accessible attack vectors with low complexity and no required authentication. It has been corrected in release 6.4.
An unauthenticated remote attacker can supply a crafted URN that triggers the overflow, resulting in a heap corruption condition that may be leveraged for remote code execution or at least denial-of-service and limited integrity impact with changed scope.
Official sources, including the Squid GitHub security advisory GHSA-w4gv-vw3f-29g3, the 6.4 release notes, and distribution lists such as Debian LTS and oss-security, confirm the patch and recommend disabling URN access permissions as an immediate workaround until upgrades can be applied. The associated EPSS score remains flat at 0.0932 with no observed upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23392
Vulnerability details
Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management. This has been fixed in…
more
version 6.4. To work around this issue, disable URN access permissions.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in public-facing Squid proxy enables unauthenticated remote exploitation for RCE/DoS, directly mapping to T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of flaws through patching Squid to version 6.4, directly addressing the heap buffer overflow vulnerability.
Implements least functionality by disabling unnecessary URN processing, matching the recommended workaround to block exploitation.
Validates URN inputs to prevent out-of-bounds writes and heap overflows from malformed requests.