CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 22, 2026

29-Year-Old ‘Squidbleed’ Vulnerability Discovered With the Aid of Claude Mythos Preview

Cybersecurity News Archived Jun 22, 2026 ✓ Full text saved

A Heartbleed-style heap buffer overread lurking in Squid Proxy since 1997 can silently leak HTTP headers, including passwords and API keys, from other users on the same proxy. Security researchers at Calif.io have disclosed a critical memory disclosure vulnerability in Squid Proxy, dubbed Squidbleed, discovered with the assistance of Anthropic’s Claude Mythos Preview AI model. […] The post 29-Year-Old ‘Squidbleed’ Vulnerability Discovered With the Aid of Claude Mythos Preview appeared first on C

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security 29-Year-Old ‘Squidbleed’ Vulnerability Discovered With the Aid of Claude Mythos Preview By Guru Baran June 22, 2026 A Heartbleed-style heap buffer overread lurking in Squid Proxy since 1997 can silently leak HTTP headers, including passwords and API keys, from other users on the same proxy. Security researchers at Calif.io have disclosed a critical memory disclosure vulnerability in Squid Proxy, dubbed Squidbleed, discovered with the assistance of Anthropic’s Claude Mythos Preview AI model. The bug impacts all Squid versions in the default configuration and has gone undetected for nearly three decades, predating all available commit history in Squid’s GitHub repository. 29-Year-Old Squidbleed Vulnerability Squidbleed (CVE pending) is a heap buffer overread rooted in Squid’s FTP directory listing parser. When exploited, it causes Squid to read memory beyond a heap-allocated buffer and return that stale data, potentially including another user’s HTTP request, authorization headers, or API keys, as part of an FTP directory listing response. The flaw traces back to a commit dated January 18, 1997, which added logic to handle NetWare FTP servers that placed four spaces between a file’s modification timestamp and its filename. The fix introduced a while(strchr(w_space, *copyFrom)) loop designed to skip over extra whitespace. However, there is a critical oversight: strchr in C treats the null terminator (\0) as part of the search string per C11 §7.24.5.2. When no filename follows the timestamp, copyFrom points to a null byte, but instead of halting, strchr returns non-NULL, causing ++copyFrom to increment past the buffer boundary and into adjacent heap memory. The result is a confirmed heap overread of up to 4,065 bytes, validated by AddressSanitizer (ASAN). Squid uses per-size freelists on top of malloc. When a 4KB buffer is freed, it is recycled without zeroing. If a victim’s HTTP request was previously stored in MEM_4K_BUF which is the case for most standard HTTP requests on Squid 7.x, where CLIENT_REQ_BUF_SZ is set to 4096 only the first few dozen bytes are overwritten by the short FTP listing line. The remainder of the buffer retains the victim’s stale request data. An attacker who controls an FTP server reachable from the proxy can then trigger the overread via a malformed directory listing with no filename, causing Squid to return the victim’s recycled HTTP data, including Authorization headers and session tokens as part of the FTP response, reads Calif.io research. Squidbleed Attack Surface The attack surface is situational but realistic: FTP support must be enabled (it is on by default) The attacker must control an FTP server reachable on TCP port 21 from the proxy (included in Squid’s default Safe_ports ACL) Victim traffic must be cleartext HTTP or pass through a TLS-terminating proxy setup HTTPS CONNECT tunnels are opaque and unaffected The researchers confirmed the attack by leaking Authorization headers from a login page via a shared Squid proxy. A proof of concept is publicly available on GitHub. The fix is a single-line null check applied before each strchr call: c- while (strchr(w_space, *copyFrom)) + while (*copyFrom && strchr(w_space, *copyFrom)) The patch has been merged into the Squid repository. Administrators are strongly urged to disable FTP support unless explicitly required, as most modern browsers, including all Chromium-based browsers, dropped FTP support years ago, making legitimate FTP proxy traffic exceedingly rare. The discovery was made by directing Claude Mythos Preview to investigate Squid’s FTP state machine using multi-agent analysis. The model flagged the strchr null terminator behavior almost immediately, demonstrating how LLMs trained on C standard references can surface subtle API contract violations that evade human code review. This follows the team’s earlier disclosure of a hidden HTTP/2 vulnerability uncovered using OpenAI’s Codex Cyber, signaling a broader trend of AI-assisted open-source security auditing. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News New Malware Attack Via WhatsApp Attacking Windows System to Enable Remote Access For Attackers ClickFix Campaign Uses EtherHiding and GULoader to Infect Windows Users via Fake CAPTCHA AI-Powered Public Surveillance and Biometric Data Collection Expand Government Monitoring DPAPISnoop Tool Extracts CREDHIST Hashes for Offline Windows Credential Recovery Anthropic’s Mythos AI Model Reportedly Breached NSA Classified Systems in Hours Latest News Cyber Security Klue Hack Leads to Data Breach Across Multiple Cybersecurity Companies Cyber Security News Hackers Use RemotePC RMM and PowerShell Stagers to Deploy Prinz Eugen Ransomware Cyber Security News Microsoft’s New Option Allows Organizations to Block Copilot Access to Office Files Cyber Security News Microsoft has urged IT Admins to Prepare for Windows 11, Version 26H2 Update Cyber Security News New Malware Attack Via WhatsApp Attacking Windows System to Enable Remote Access For Attackers
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 22, 2026
    Archived
    Jun 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗