cbcvebase.
CVE-2025-62168
published 2025-10-17

CVE-2025-62168: Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information…

PriorityP274high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
63.32%
99.1th percentile
Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.

Affected

8 ranges
VendorProductVersion rangeFixed in
debiansquid< squid 5.7-2+deb12u4 (bookworm)squid 5.7-2+deb12u4 (bookworm)
msrcazl3_squid_6.13-1_on_azure_linux_3.0
msrcazl3_squid_6.13-3_on_azure_linux_3.0
squid-cachesquid< 7.27.2
squidsquid>= 0 < 4.13-10+deb11u64.13-10+deb11u6
squidsquid>= 0 < 5.7-2+deb12u45.7-2+deb12u4
squidsquid>= 0 < 6.13-2+deb13u16.13-2+deb13u1
squidsquid>= 0 < 7.2-17.2-1

Detection & IOCsextracted from sources · hover to see the quote

commandemail_err_data off
otherERR_DNS_FAIL in HTTP error page body (Squid credential leak indicator)
otherAuthorization%3A%20Bearer%20([^%]+) — URL-encoded Authorization header in Squid error page body
yara
Nuclei template: matchers on status_code==503, body contains 'mailto:', body contains 'ERR_DNS_FAIL', body contains injected Bearer token; extractor regex: Authorization%3A%20Bearer%20([^%]+)
  • Trigger detection by sending a request with an Authorization: Bearer <token> header to a non-resolvable host through Squid; a vulnerable instance returns HTTP 503 with the token embedded in the mailto: diagnostic block of the error page body.
  • Search Squid error page responses (HTTP 503) for the string 'mailto:' combined with 'ERR_DNS_FAIL' and a URL-encoded Authorization header value (Authorization%3A%20Bearer%20) to identify active credential leakage.
  • No authentication to Squid is required to exploit this vulnerability; any remote client can trigger an error condition to extract credentials.
  • On Red Hat Enterprise Linux, the default Squid configuration has email_err_data enabled, making all default RHEL Squid deployments prior to 7.2 vulnerable without additional configuration changes.
  • Check squid.conf for the absence of 'email_err_data off'; if the directive is missing, the instance is vulnerable by default.
  • ·Vulnerability is only exploitable when email_err_data is enabled (on) in squid.conf; this is the default on Red Hat Enterprise Linux. Instances with 'email_err_data off' are not vulnerable.
  • ·Attacks do not require Squid to be configured with HTTP authentication — any Authorization header passed through Squid (e.g., Bearer tokens for backend apps) can be leaked.
  • ·The credential leak specifically affects the mailto: diagnostic block in Squid-generated error pages; disabling email_err_data in squid.conf is the documented workaround for versions prior to 7.2.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian10.0CRITICAL
vendor_msrc10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.