CVE-2016-10002 in Squid
Summary
by MITRE
Incorrect processing of responses to If-None-Modified HTTP conditional requests in Squid HTTP Proxy 3.1.10 through 3.1.23, 3.2.0.3 through 3.5.22, and 4.0.1 through 4.0.16 leads to client-specific Cookie data being leaked to other clients. Attack requests can easily be crafted by a client to probe a cache for this information.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/15/2026
The vulnerability identified as CVE-2016-10002 represents a critical information disclosure flaw within the Squid HTTP proxy software ecosystem. This security issue affects multiple versions spanning from 3.1.10 through 3.1.23, 3.2.0.3 through 3.5.22, and 4.0.1 through 4.0.16, indicating a widespread impact across the proxy server's major release lines. The flaw specifically manifests in the improper handling of HTTP conditional requests, particularly those involving the If-None-Modified header mechanism that is commonly used for cache validation. This vulnerability operates at the application layer and constitutes a violation of secure coding practices as outlined in CWE-200, which addresses the exposure of sensitive information.
The technical mechanism behind this vulnerability involves the incorrect processing of HTTP responses when clients make conditional requests to the Squid proxy server. When a client sends an If-None-Modified request, the proxy server should properly validate whether the requested resource has been modified since the last retrieval and respond accordingly. However, due to the flawed implementation, the server fails to correctly separate or isolate cookie data associated with different client sessions. This misconfiguration allows cookie information intended for one client to be inadvertently exposed to other clients accessing the same cache resources, effectively creating a cross-client information leakage scenario that undermines the fundamental security assumptions of HTTP session management.
The operational impact of this vulnerability extends beyond simple information disclosure, as it creates potential attack vectors that can be exploited by malicious actors. The flaw is particularly concerning because the attack vectors are easily craftable, meaning that any client with access to the proxy server can potentially probe the cache to extract sensitive cookie data belonging to other users. This type of vulnerability aligns with ATT&CK technique T1213.002, which involves data from information repositories, and represents a significant risk to user privacy and session integrity. The vulnerability essentially allows for cache poisoning attacks where one client can obtain authentication tokens, session identifiers, or other sensitive cookie data that should remain isolated to specific user sessions.
The implications of this vulnerability are particularly severe in environments where Squid proxies handle sensitive web traffic, such as corporate networks, financial institutions, or any organization managing user sessions that rely on cookie-based authentication. Attackers could leverage this flaw to impersonate users, hijack sessions, or gain unauthorized access to protected resources by collecting authentication cookies from other users. The vulnerability's persistence across multiple major versions suggests that organizations using affected Squid versions may have been exposed to this risk for an extended period, potentially allowing attackers to harvest sensitive session data over time. Organizations should consider implementing immediate mitigations including patching to affected versions, implementing additional network segmentation, or deploying web application firewalls to detect and prevent exploitation attempts.