Yesterday I had over the Fable and Myth Ban As soon as the ink was dry, a story emerges that rounds it off with a certain irony.
The very model that Washington had just taken off the grid was recently busy tracking down a nearly 30-year-old security flaw in one of the world's most widely used proxy software.
Posted with a wink on calif.io - Meet Squidbleed.
What is Squid anyway?
Squid is a widely used web proxy that can be found mainly in corporate networks, schools and wherever traffic is to be filtered, cached or monitored. Anyone who has ever sat in the office or in the Wi-Fi of an airport and noticed that certain pages are blocked – there is often Squid behind it. This thing is an institution.
And as is sometimes the case with institutions: Underneath the well-kept surface sometimes slumbers code that comes from another time.
The bug: A journey back in time to 1997
The core of Squidbleed lies in Squid’s FTP parser – yes, FTP, the protocol that most modern browsers deleted from their repertoire years ago. However, Squid still supports FTP by default.
The problem: FTP does not have a standardized machine-readable format for file listings. Each server somehow delivers this as a text block, and Squid has to parse this jumble. A Commit from 18 January 1997 (For the younger readers: that's older than Google!) has built in a special treatment for NetWare FTP servers, which set between timestamp and file name four instead of a space.
The fix then: A loop that skips whitespace until the file name begins.
The problem with this: strchr() a C standard library function returns a hit even if you use the null terminator \0 Looking for. This means: If no file name follows after the timestamp, the pointer simply continues beyond the end of the buffer. And on. And on. Until it encounters data that is no longer part of the FTP listing.
What happens next is the eponymous problem: The proxy reads foreign heap data and sends it back to the attacker as a supposed file name.
Too complex? It's also easier:
Okay, imagine you're a librarian in a huge library. Your job is to get books for your visitors. Someone comes in and says: ‘Please get the book from shelf 7!’ So you go, get it, done. This is Squid: A middleman who brings things for others.
The note box
In this library there is also an old note box for FTP servers. FTP is such an ancient system for transferring files. Imagine it as a very, very old filing cabinet from the 80s, which nobody actually uses anymore, but which is still in the corner because no one has cleared it away. When someone asks ‘what's in this filing cabinet?’, Squid goes and reads the labels of the folders and writes them on a note.
The problem with the note
Now comes the mistake. Squid reads the label of a folder, for example ‘Date: January 16, file name: …’ and then searches for the file name. It uses a little helper called strchr, who says: ‘Proceed until you find something that is not a space.’
But what happens if there is no file name after the date? Common sense says: ‘Then stop looking.’ strchr But don't think so. He just keeps looking. Beyond the note. Beyond the portfolio. Beyond the filing cabinet. He just keeps reading whatever's wrong.
What's wrong with that?
In the library analogy: Next to it are the notes of other visitors. Papers on which it says: "User Max logged in with password XY today" or "User Lisa just entered her credit card number." Squid reads all this because strchr did not stop searching and then sent it back as a ‘file name’ to the person who asked.
What can an attacker get with it?
Squid recycles internal storage buffers. A 4KB buffer that just contained the HTTP request of another user of the same proxy can be reused for FTP listing shortly thereafter without deleting the old content. The overread then reads out exactly these remnants and sends them to the attacker.
In plain language: Authorization headers, passwords, API keys. Whatever other users of the same proxy just send through the line. Oops.
The limitations are real: Only unencrypted HTTP is affected (HTTPS runs as an opaque CONNECT tunnel through the proxy), and the attacker needs an FTP server that the proxy can actually reach. However, TCP port 21 is included in Squid's standard ACL. No configuration effort required, as long as you can run an FTP server somewhere.
Who found this?
Here's the part that particularly bothers me as someone who wrote about the Fable banner yesterday. Calif.io's security research team has Claude Mythos preview (i.e. the model that was banned by Washington shortly thereafter) was already sent to the Squid source code in April. With the instruction to examine the FTP state machine code in more detail.
The model found the bug almost immediately and justified it with reference to the C11 standard: strchr(w _space, '\0') Returns a non-NULL pointer by specification because the null terminator is part of the string. A detail that no one seems to have noticed in almost 30 years of code review, rewrites and audits.
By the way, the fix is very simple, two additional zero checks before the strchr-call:
- while (strchr(w _space, *copyFrom)) + while (*copyFrom && strchr(w _space, *copyFrom)))One day's work for the maintainers. Almost three decades in the dark.
What to do now
Who runs Squid: Turn off FTP, Unless you actively need it. Chrome dropped FTP support years ago, and Firefox did too. Those who do not send legitimate FTP traffic through their proxy (cautiously suspect that 2026 will be the most) can simply disable the feature and eliminate the entire attack surface.
Addendum: For everyone else: Squid 7.6 (Published on 8 June 2026) and Squid 8 It already contains the patch. (Thank you Golem.de for reporting). The official advisory was published on June 24th.. Those who are still on older versions should update.
The real conclusion
Squidbleed is technically not a world-shattering RCE, not a zero-click miracle. It's a heap overread with situational impact. But it's symptomatic of something that happens regularly in the open source world: Code that has been running for decades, is no longer really understood by anyone, and in which subtle C properties quietly rot away.
That an AI model of all people has found this bug, namely the model, which the U.S. government soon after classified as too dangerous It has a certain quality. The ability to find security flaws is apparently exactly what worried Washington. Whether this is an argument for or against the ban, I leave it to you.
The answer lies somewhere between the lines of yesterday.
EN 
DE 
ES 
FR 
IT