An issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. If a remote server sends a certain response header over HTTP or HTTPS, there is a denial of service. This header can plausibly occur in benign network traffic.
{
"unresolved_ranges": [
{
"vendor_product": "debian:debian_linux",
"cpes": [
"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "10.0"
},
{
"last_affected": "10.0"
}
]
},
{
"vendor_product": "fedoraproject:fedora",
"cpes": [
"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "33"
},
{
"last_affected": "33"
},
{
"introduced": "34"
},
{
"last_affected": "34"
}
]
}
]
}{
"cpe": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*",
"source": [
"CPE_RANGE",
"REFERENCES"
],
"extracted_events": [
{
"introduced": "4.0.1"
},
{
"fixed": "4.15"
},
{
"introduced": "5.0"
},
{
"fixed": "5.0.6"
}
]
}[
{
"digest": {
"line_hashes": [
"246787021619791419152269128153398552627",
"137540088876487517479355767659710642705",
"2037448173086037427154046699180625686",
"111963318781500401476263553951823657637"
],
"threshold": 0.9
},
"id": "CVE-2021-28662-ac67f9e9",
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/squid-cache/squid/commit/051824924c709bd6162a378f746fb859454c674e",
"target": {
"file": "src/http/RegisteredHeaders.cc"
}
},
{
"digest": {
"length": 211.0,
"function_hash": "213594514490356346423760141520931754203"
},
"id": "CVE-2021-28662-b5ea6bf5",
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/squid-cache/squid/commit/051824924c709bd6162a378f746fb859454c674e",
"target": {
"function": "HeaderLookupTable_t::lookup",
"file": "src/http/RegisteredHeaders.cc"
}
}
]
"2026-07-09T07:51:26Z"
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-28662.json"