CVE-2025-62168
published 2025-10-17CVE-2025-62168: Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information…
PriorityP274high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
63.32%
99.1th percentile
Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | squid | < squid 5.7-2+deb12u4 (bookworm) | squid 5.7-2+deb12u4 (bookworm) |
| msrc | azl3_squid_6.13-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_squid_6.13-3_on_azure_linux_3.0 | — | — |
| squid-cache | squid | < 7.2 | 7.2 |
| squid | squid | >= 0 < 4.13-10+deb11u6 | 4.13-10+deb11u6 |
| squid | squid | >= 0 < 5.7-2+deb12u4 | 5.7-2+deb12u4 |
| squid | squid | >= 0 < 6.13-2+deb13u1 | 6.13-2+deb13u1 |
| squid | squid | >= 0 < 7.2-1 | 7.2-1 |
Detection & IOCsextracted from sources · hover to see the quote
otherERR_DNS_FAIL in HTTP error page body (Squid credential leak indicator)
otherAuthorization%3A%20Bearer%20([^%]+) — URL-encoded Authorization header in Squid error page body
yara
Nuclei template: matchers on status_code==503, body contains 'mailto:', body contains 'ERR_DNS_FAIL', body contains injected Bearer token; extractor regex: Authorization%3A%20Bearer%20([^%]+)
- →Trigger detection by sending a request with an Authorization: Bearer <token> header to a non-resolvable host through Squid; a vulnerable instance returns HTTP 503 with the token embedded in the mailto: diagnostic block of the error page body.
- →Search Squid error page responses (HTTP 503) for the string 'mailto:' combined with 'ERR_DNS_FAIL' and a URL-encoded Authorization header value (Authorization%3A%20Bearer%20) to identify active credential leakage.
- →No authentication to Squid is required to exploit this vulnerability; any remote client can trigger an error condition to extract credentials. ↗
- →On Red Hat Enterprise Linux, the default Squid configuration has email_err_data enabled, making all default RHEL Squid deployments prior to 7.2 vulnerable without additional configuration changes. ↗
- →Check squid.conf for the absence of 'email_err_data off'; if the directive is missing, the instance is vulnerable by default. ↗
- ·Vulnerability is only exploitable when email_err_data is enabled (on) in squid.conf; this is the default on Red Hat Enterprise Linux. Instances with 'email_err_data off' are not vulnerable. ↗
- ·Attacks do not require Squid to be configured with HTTP authentication — any Authorization header passed through Squid (e.g., Bearer tokens for backend apps) can be leaked. ↗
- ·The credential leak specifically affects the mailto: diagnostic block in Squid-generated error pages; disabling email_err_data in squid.conf is the documented workaround for versions prior to 7.2. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian10.0CRITICAL
vendor_msrc10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-62168: Squid is a caching proxy for the Web
osv·2025-10-17·CVSS 7.5
CVE-2025-62168 [HIGH] CVE-2025-62168: Squid is a caching proxy for the Web
Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.
Ubuntu
Squid vulnerability
vendor_ubuntu·2025-10-28
CVE-2025-62168 Squid vulnerability
Title: Squid vulnerability
Summary: Squid would allow unintended access to sensitive information over the
network.
Leonardo Giovannini discovered that Squid failed to redact HTTP
Authentication credentials in a default configuration. An attacker could
possibly use this issue to obtain sensitive information.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
squid-cache: Squid vulnerable to information disclosure via authentication credential leakage in error handling
vendor_redhat·2025-10-17·CVSS 10.0
CVE-2025-62168 [CRITICAL] CWE-209 squid-cache: Squid vulnerable to information disclosure via authentication credential leakage in error handling
squid-cache: Squid vulnerable to information disclosure via authentication credential leakage in error handling
Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by co
Microsoft
Squid vulnerable to information disclosure via authentication credential leakage in error handling
vendor_msrc·2025-10-14·CVSS 10.0
CVE-2025-62168 [CRITICAL] CWE-209 Squid vulnerable to information disclosure via authentication credential leakage in error handling
Squid vulnerable to information disclosure via authentication credential leakage in error handling
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediatio
Debian
CVE-2025-62168: squid - Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure ...
vendor_debian·2025·CVSS 10.0
CVE-2025-62168 [CRITICAL] CVE-2025-62168: squid - Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure ...
Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.
Scope: local
bookworm: resolved (fixed in 5.7-2+deb12u4)
bullseye:
No detection rules found.
Nuclei
Squid Proxy - HTTP Authentication Credentials Disclosure
nuclei·CVSS 7.5
CVE-2025-62168 [HIGH] Squid Proxy - HTTP Authentication Credentials Disclosure
Squid Proxy - HTTP Authentication Credentials Disclosure
Squid versions prior to 7.2 fail to redact HTTP authentication credentials in error page responses. The Authorization header value is embedded in plain text inside the mailto: diagnostic block when Squid generates an error page (e.g. ERR_DNS_FAIL).
Template:
id: CVE-2025-62168
info:
name: Squid Proxy - HTTP Authentication Credentials Disclosure
author: xtr0nix
severity: critical
description: |
Squid versions prior to 7.2 fail to redact HTTP authentication credentials in error page responses. The Authorization header value is embedded in plain text inside the mailto: diagnostic block when Squid generates an error page (e.g. ERR_DNS_FAIL).
impact: |
Attackers can extract tokens and credentials used by trusted clients or backend app
Wiz
CVE-2026-33515 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-33515 [CRITICAL] CVE-2026-33515 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33515 :
Squid vulnerability analysis and mitigation
icp_port
icp_access
Source : NVD
## 6.9
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Squid
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 36
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
squid
squid34
Sources
NVD
CBL-Mariner 3.0 Severity MEDIUM Has Fix Added at: Mar 29, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 26, 2026
Debian 14 Severity MEDIUM Has Fix Added at: Mar 26, 2026
Echo Severity MEDIUM No Fix Added at: Mar 26, 2026
Homebrew Severity MEDIUM Has Fix Added at: Apr 02, 2026
Nix Severity MEDIUM Has Fix Added at:
Wiz
CVE-2026-33526 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-33526 [CRITICAL] CVE-2026-33526 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33526 :
Squid vulnerability analysis and mitigation
icp_port
icp_access
Source : NVD
## 9.2
Score
Published March 26, 2026
Severity CRITICAL
CNA Score 9.2
Affected Technologies
Squid
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 82.3
Exploitation Probability (EPSS) 1.7
Affected packages and libraries
squid:4::squid
squid
Sources
NVD
AlmaLinux 9 Severity HIGH Has Fix Added at: Apr 02, 2026
CBL-Mariner 3.0 Severity HIGH Has Fix Added at: Mar 29, 2026
Debian 11 Severity HIGH No Fix Added at: Mar 26, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 26, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 26, 2026
Echo Severity HIGH No Fix Adde
Wiz
CVE-2026-32748 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-32748 [CRITICAL] CVE-2026-32748 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32748 :
Squid vulnerability analysis and mitigation
icp_port
icp_access
Source : NVD
## 8.7
Score
Published March 26, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Squid
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 79.5
Exploitation Probability (EPSS) 1.3
Affected packages and libraries
squid:4::squid
squid
Sources
NVD
AlmaLinux 9 Severity HIGH Has Fix Added at: Apr 02, 2026
CBL-Mariner 3.0 Severity HIGH Has Fix Added at: Mar 29, 2026
Debian 11 Severity HIGH No Fix Added at: Mar 26, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 26, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 26, 2026
Echo Severity HIGH No Fix Added at
Bugzilla
CVE-2025-62168 squid-cache: Squid vulnerable to information disclosure via authentication credential leakage in error handling
bugzilla·2025-10-17·CVSS 7.5
CVE-2025-62168 [HIGH] CVE-2025-62168 squid-cache: Squid vulnerable to information disclosure via authentication credential leakage in error handling
CVE-2025-62168 squid-cache: Squid vulnerable to information disclosure via authentication credential leakage in error handling
Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated
2025-10-17
Published