A heap over-read bug in the Squid web proxy — present since a 1997 FTP-parsing code change — can leak other users’ cleartext HTTP requests, including credentials and session tokens, to anyone already permitted to use the same proxy. Researchers at Calif.io disclosed the vulnerability in June and named it Squidbleed (CVE-2026-47729).
The bug lives in Squid’s FTP directory-listing parser. A whitespace-skipping loop fails to check for a null terminator, so when an attacker-controlled FTP server sends a listing line with no filename, the code walks off the end of its buffer. Because Squid reuses freed memory without zeroing it, the over-read returns bytes from a previous victim’s HTTP request — potentially including Authorization headers, cookies, and other sensitive data.
The attack requires the proxy to reach an FTP server the attacker controls on port 21. Both FTP and that port are enabled by default in Squid. The leaked traffic is limited to cleartext HTTP and TLS-terminating setups — normal HTTPS tunnels through CONNECT remain opaque.
Squid rates this as a trusted-client attack: the attacker needs existing proxy access, not an open internet connection. That matches Squid’s typical deployment in shared networks — schools, offices, public Wi-Fi — where the attacker is just another user on the same proxy.
The fix is a null-terminator check before the vulnerable strchr calls, merged to Squid’s development branch in April and v7 in May. There’s some confusion about which stable version patches it first — the maintainer initially pointed to 7.6, then corrected to 7.7, though Debian’s security team noted the fix commit appears to be in 7.6. If you patch, verify the guard is actually in FtpGateway.cc rather than trusting the version number alone.
The researchers recommend the simpler path: turn FTP off. Chromium dropped FTP support years ago, and most networks carry almost none of it. Disabling it removes this attack surface entirely.
SUSE rates the bug at CVSS 6.5 — moderate severity. The attacker needs low-privilege proxy access, and the impact is confidentiality-only. No in-the-wild exploitation has been reported. Calif credits Anthropic’s Claude Mythos Preview with catching the strchr quirk quickly, part of a broader trend of AI agents surfacing buried parser bugs in legacy code.
