Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management. This has been fixed in version 6.4. To work around this issue, disable URN access permissions.

Amazon is aware of CVE-2025-54574 affecting Amazon Linux 2. Fixing this vulnerability will cause a high risk to stability which far outweighs the risk associated with the vulnerability. This vulnerability affects the URN feature, which is currently unreliable, undocumented, and due for deprecation. Customers can mitigate this vulnerability by disabling the URN feature in their Squid configuration. Additionally, we will provide a patch which hardens the information disclosure part of this vulnerability. We recommend customers evaluate their use of the URN feature and implement the suggested mitigation if needed. For customers requiring continued use of this feature, please note that while our provided patch minimizes the information disclosure risk, the underlying buffer overflow vulnerability remains present.