A Decades-Old Proxy Flaw and the AI Agent That Spotted It

The Flaw That Outlasted Clinton

A vulnerability introduced in 1997 - when NetWare servers roamed corporate LANs and plaintext FTP still felt reasonable - has been leaking memory in Squid, one of the most widely deployed open-source caching proxies on the internet, for twenty-nine years. The bug, now tracked as CVE-2026-47729 and nicknamed Squidbleed by its discoverer, can expose plaintext HTTP requests, including credentials, API keys, and session tokens, to any attacker who can coax a vulnerable Squid instance into connecting to a malicious FTP server.

Lam Jun Rong, a security researcher at Calif.io, stumbled onto the issue in an unlikely setting: an in-flight Wi-Fi portal running a decade-old build of Squid. What followed was a forensic dive into legacy code, assisted by Anthropic's Claude Mythos Preview, that surfaced a heap overread buried in the proxy's FTP directory-listing parser. Squid's maintainers patched the flaw in version 7.6, released in early June, but the discovery raises uncomfortable questions about how many other decades-old commits are quietly lurking in critical infrastructure.

At DailyTechWire, we've tracked a rising tide of AI-assisted vulnerability research over the past year - from OpenAI's Codex contributions to static-analysis tools to collaborative agent frameworks that can trace control flow across thousands of lines of legacy C. Squidbleed is a sharp illustration of where that trend leads: not just faster bug discovery, but the unearthing of flaws that predate modern tooling and survived multiple waves of manual audit.

How a NetWare Workaround Became a Memory Leak

The root cause is a single loop added to Squid's codebase in 1997, committed as bb97dd37a. The patch was written to accommodate NetWare FTP servers, which inserted extra whitespace between file modification timestamps and filenames in directory listings. NetWare, a once-dominant network operating system from Novell, was ubiquitous in the late eighties and nineties, powering file and print services before Windows Server and Linux distributions displaced it.

Most FTP servers of that era used a single space character to separate timestamp and filename fields. NetWare's implementation, however, emitted multiple spaces. To handle this quirk, the 1997 commit introduced a loop that advanced a pointer - copyFrom - past any whitespace character before copying the filename into a buffer:

```
while (strchr(w_space, *copyFrom))
++copyFrom;
```

The problem, as Mythos Preview identified during Rong's analysis, is what happens when an attacker-controlled FTP server returns a directory listing that includes a timestamp but no filename. In that case, copyFrom points to the null terminator at the end of the string. Because strchr treats the null byte as part of the search space and returns a non-null pointer, the loop never exits. The pointer walks off the end of the allocated buffer, and the subsequent xstrdup call copies whatever lies beyond - often fragments of other HTTP requests stored in heap memory - back to the attacker as if it were a valid filename.

This is a textbook heap overread, similar in spirit to Heartbleed, the 2014 OpenSSL bug that leaked arbitrary memory contents through malformed TLS heartbeat packets. Squidbleed's attack surface is narrower - it requires plaintext HTTP or TLS-terminating deployments, and the proxy must be configured to allow outbound connections to FTP servers on TCP port 21 - but the impact is comparable. Any sensitive data in adjacent heap allocations, including credentials, tokens, or even fragments of other users' requests, can leak.

Conditions and Real-World Exposure

Squidbleed affects every version of Squid in its default configuration, provided two conditions are met. First, the proxy must be able to inspect network traffic in the clear. This means either handling plaintext HTTP - still common in internal enterprise networks, educational institutions, and some ISP transparent-proxy setups - or operating as a TLS-terminating middlebox that decrypts HTTPS traffic for inspection before re-encrypting it upstream.

Second, the proxy must permit outbound connections to an attacker-controlled FTP server on port 21. FTP, an aging protocol that transmits credentials in plaintext and lacks modern security features, has been deprecated by most browser vendors. Chromium-based browsers dropped FTP support entirely several years ago, and Firefox followed suit. Yet Squid, designed in an era when FTP was a legitimate enterprise use case, still ships with FTP support enabled by default.

Rong's proof-of-concept exploit demonstrated the attack in practice: an attacker embeds a malicious FTP URL in a web page or redirect chain, the victim's browser (or another client behind the proxy) requests it, Squid connects to the attacker's FTP server, receives a crafted directory listing with no filename, and the overread begins. The leaked memory is returned to the attacker as part of the FTP response, often in plaintext.

The window of exposure is wide. Large corporations, universities, government networks, and internet service providers have deployed Squid for decades to cache content, enforce content filters, and log user activity. Many of these installations run on stable, infrequently updated builds - Rong's in-flight encounter with a ten-year-old version is illustrative, not exceptional. The combination of legacy deployments, default FTP support, and the flaw's deep vintage means Squidbleed may have been silently exploitable across a significant fraction of the internet's proxy infrastructure for nearly three decades.

The Role of AI in Discovery

Rong credited Anthropic's Claude Mythos Preview with accelerating the forensic work that pinpointed the flaw. Mythos Preview, a reasoning-focused variant of Claude designed for deep technical analysis, helped trace the control flow through Squid's FTP parser and identified the condition under which the loop would fail to terminate. This marks the second high-profile vulnerability discovery from Calif.io in collaboration with frontier AI models; the firm previously uncovered an HTTP/2 amplification issue with assistance from OpenAI's Codex agent.

The use of large language models in vulnerability research has moved from experiment to operational practice over the past eighteen months. At DailyTechWire, we've followed the rollout of agent frameworks that can parse legacy C codebases, simulate execution paths, and flag suspicious patterns - work that once required days of manual auditing. Mythos Preview's contribution to Squidbleed was less about automation and more about augmentation: Rong brought domain expertise and intuition about where to look; the model brought the ability to exhaustively trace pointer arithmetic and edge cases across a sprawling codebase.

This collaboration is also part of a broader industry push. OpenAI announced its Patch the Planet initiative earlier this week, a coordinated effort to apply AI agents to open-source security audits at scale. Calif.io is a participant. The initiative's premise is that many critical bugs - especially those introduced before modern static analysis became routine - remain undiscovered not because they are subtle, but because the volume of legacy code is too large for human reviewers to cover comprehensively.

Squidbleed is a case study for that thesis. The flaw was neither obfuscated nor architecturally complex. It was a straightforward off-by-one error in a loop guarding a string copy. Yet it survived nearly three decades, multiple major version releases, and countless deployments precisely because it was buried in a niche code path - FTP directory parsing - that few developers or auditors had reason to scrutinize.

Mitigation and the Decline of FTP

Squid's maintainers addressed the issue with a simple patch: check for the null terminator before calling strchr. The fix is included in Squid version 7.6, released on June 8. Organizations running Squid should upgrade immediately.

Rong also recommended a more aggressive mitigation: disable FTP support entirely unless there is a documented, business-critical need for it. Given that modern browsers no longer handle FTP URLs and that the protocol has been effectively deprecated in favor of HTTPS-based file transfer, most Squid deployments see zero legitimate FTP traffic. Disabling FTP at the proxy level removes the entire attack surface at no operational cost.

This recommendation aligns with a broader shift in enterprise security posture over the past decade. Protocols that were once ubiquitous - FTP, Telnet, SMBv1 - are now treated as legacy liabilities, kept alive only in environments where compatibility with aging systems outweighs the risk. Squidbleed underscores the cost of that backward compatibility. The 1997 commit that introduced the flaw was written to support NetWare servers, a platform that ceased active development in the mid-2000s and is now effectively extinct. Yet the code it introduced remained active, default-enabled, and exploitable for another two decades.

What This Signals for Infrastructure Security

Squidbleed is unlikely to be an isolated case. Squid's codebase, like that of many foundational open-source projects, has accreted features and fixes over decades, often in response to the needs of platforms and protocols that no longer exist. The same is true of OpenSSL, the Linux kernel, Apache, and countless other components of the internet's substrate. Each of these projects carries technical debt in the form of code written for environments that have long since disappeared - code that is rarely audited, rarely updated, and rarely questioned.

The discovery of Squidbleed through a combination of serendipity, researcher intuition, and AI-assisted analysis suggests a possible path forward: systematic, agent-augmented audits of legacy code paths, prioritized by deployment footprint and exposure risk. The economics of such audits have shifted. What once required weeks of human time can now be compressed into hours with the right tooling. The limiting factor is no longer the cost of review, but the coordination required to act on findings at scale.

At DailyTechWire, we expect to see more vulnerabilities of this vintage surface over the next two years as AI-assisted auditing becomes routine. The question is whether the industry can patch faster than adversaries can exploit. Squidbleed had the advantage of obscurity - there is no evidence the flaw was exploited in the wild before disclosure. The next decades-old bug may not be so lucky.

Organizations running Squid should update to version 7.6, disable FTP, and audit their proxy configurations for other legacy protocol support that may no longer be necessary. The era when backward compatibility was a free good is over. Every line of code written for a platform that no longer exists is now a potential liability, waiting for the right researcher - or the right model - to notice.