cve/2023/CVE-2023-49288.md

### [CVE-2023-49288](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49288)
![](https://img.shields.io/static/v1?label=Product&message=squid&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3E%3D%203.5%2C%20%3C%206.0.1%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-416%3A%20Use%20After%20Free&color=brighgreen)

### Description

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Affected versions of squid are subject to a a Use-After-Free bug which can lead to a Denial of Service attack via collapsed forwarding. All versions of Squid from 3.5 up to and including 5.9 configured with "collapsed_forwarding on" are vulnerable. Configurations with "collapsed_forwarding off" or without a "collapsed_forwarding" directive are not vulnerable. This bug is fixed by Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should remove all collapsed_forwarding lines from their squid.conf.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/MegaManSec/Squid-Security-Audit