CVE-2025-62168
Squid vulnerable to information disclosure via authentication credential leakage in error handling
In short
Squid proxy fails to hide login credentials in error messages, allowing attackers to steal authentication information that should be kept secret. This affects any website using Squid, even if Squid itself doesn't require passwords.
Technical detail
Squid versions prior to 7.2 fail to redact HTTP authentication credentials in error responses and debug information. An attacker can craft requests to trigger error conditions that expose credentials in error pages or mailto links, bypassing browser protections and potentially disclosing internal authentication tokens used by backend applications.
Summary generated and translated by AI from the official description.
Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Affected products
squid-cache · squidpublic PoCs found — 1
githubgithub.com/nehkark/CVE-2025-62168★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →