The SQUID project has released patches for a high-severity DoS vulnerability in Squid. This vulnerability, tracked as CVE-2024-45802 with a CVSS score of 7.5, arises when Squid is configured with certain parameters, especially when the Edge Side Includes (ESI) feature is enabled.
The vulnerability stems from issues related to Input Validation, Premature Release of Resource During Expected Lifetime, and Missing Release of Resource after Effective Lifetime. When Squid acts as a reverse proxy with ESI enabled (a standard setting in versions 3.0 to 6.9), trusted servers can exploit this flaw to perform a DoS attack on all clients using the proxy.
This vulnerability affects all domains serviced by the proxy and all clients using it during the affected period1. The issue has been addressed in Squid version 6.10 by disabling ESI by default1. Users are advised to run squid – to check if they are affected: “Version 3.x, 4.x, 5.x, and 6.0.1 to 6.9 are vulnerable unless the output contains the text ‘–disable-esi’. Versions 6.10 and later are vulnerable if the output contains the text ‘–enable-esi’.
For those unable to upgrade immediately, the Squid team suggests rebuilding Squid with the –disable-esi flag as a temporary workaround until a full update is possible.
