Permissions, Privileges, and Access Controls in Squid - CVE-2019-12522
Published: August 6, 2025
Vulnerability identifier: #VU113717
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-12522
CWE-ID: CWE-264
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Squid-cache.org
Affected software:
Squid
Squid
Detailed vulnerability description
The vulnerability allows a local user to escalate privileges on the system.
When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leave_suid call. leave_suid leaves the Saved UID as 0. This makes it trivial for an attacker who has compromised the child process to escalate their privileges back to root.
How to mitigate CVE-2019-12522
Install updates from vendor's website.