An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Splitting attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the browser cache and any downstream caches with content from an arbitrary source. Squid uses a string search instead of parsing the Transfer-Encoding header to find chunked encoding. This allows an attacker to hide a second request inside Transfer-Encoding: it is interpreted by Squid as chunked and split out into a second request delivered upstream. Squid will then deliver two distinct responses to the client, corrupting any downstream caches.
Threat-Mapped Scoring
Score: 1.8
Priority: P4 - Informational (Low)
S9 – Sabotage of System/App
EPSS
Score: 0.00251Percentile:
0.48376
CVSS Scoring
CVSS v3.1 Score: 6.5
Severity: MEDIUM
Mapped CWE(s)
CWE-697
: Incorrect Comparison
All CAPEC(s)
CAPEC-10 : Buffer Overflow via Environment Variables
CAPEC-120 : Double Encoding
CAPEC-14 : Client-side Injection-induced Buffer Overflow
CAPEC-15 : Command Delimiters
CAPEC-182 : Flash Injection
CAPEC-24 : Filter Failure through Buffer Overflow
CAPEC-267 : Leverage Alternate Encoding
CAPEC-3 : Using Leading 'Ghost' Character Sequences to Bypass Input Filters
CAPEC-41 : Using Meta-characters in E-mail Headers to Inject Malicious Payloads
CAPEC-43 : Exploiting Multiple Input Interpretation Layers
CAPEC-44 : Overflow Binary Resource File
CAPEC-45 : Buffer Overflow via Symbolic Links
CAPEC-46 : Overflow Variables and Tags
CAPEC-47 : Buffer Overflow via Parameter Expansion
CAPEC-52 : Embedding NULL Bytes
CAPEC-53 : Postfix, Null Terminate, and Backslash
CAPEC-6 : Argument Injection
CAPEC-64 : Using Slashes and URL Encoding Combined to Bypass Validation Logic
CAPEC-67 : String Format Overflow in syslog()
CAPEC-7 : Blind SQL Injection
CAPEC-71 : Using Unicode Encoding to Bypass Validation Logic
CAPEC-73 : User-Controlled Filename
CAPEC-78 : Using Escaped Slashes in Alternate Encoding
CAPEC-79 : Using Slashes in Alternate Encoding
CAPEC-8 : Buffer Overflow in an API Call
CAPEC-80 : Using UTF-8 Encoding to Bypass Validation Logic
CAPEC-88 : OS Command Injection
CAPEC-9 : Buffer Overflow in Local Command-Line Utilities
CAPEC-92 : Forced Integer Overflow
CAPEC(s) with Mapped TTPs
CAPEC-267 : Leverage Alternate Encoding
Mapped TTPs:
T1027
: Obfuscated Files or Information
Mapped ATT&CK TTPs
T1027
: Obfuscated Files or Information
Kill Chain: defense-evasion
Malware
APTs Threat Group Associations
Campaigns
2016 Ukraine Electric Power Attack C0015 C0017
Affected Products
cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
← Back to Home
BrownCoat Threat Intelligence Platform | 2025 Steve Gray — You Can’t Take the Sky from Me