Critical Squid Proxy Flaw (CVE-2025-62168, CVSS 10.0) Leaks HTTP Credentials and Security Tokens via Error Handling

The developers of Squid, the widely used open-source caching proxy for web traffic acceleration, have disclosed and patched a critical information disclosure vulnerability tracked as CVE-2025-62168 (CVSS 10.0). The flaw arises from a failure to redact HTTP authentication credentials during error handling, potentially allowing attackers to bypass browser security protections and harvest sensitive authentication tokens or credentials used by trusted clients and backend applications.

According to the Squid Project’s advisory, “Due to a failure to redact HTTP Authentication credentials Squid is vulnerable to an Information Disclosure attack.”

This vulnerability affects all Squid versions up to and including 7.1, depending on specific configuration settings. The flaw occurs when Squid’s error page handling mechanism inadvertently includes sensitive HTTP authentication data in the returned responses — a severe privacy breach that attackers could exploit through crafted scripts.

The advisory warns:

“This problem allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate.”

The researchers further explain that even installations not configured with HTTP Authentication can be affected, expanding the potential attack surface.

“These attacks do not require Squid to be configured with HTTP Authentication.”

The impact of CVE-2025-62168 extends beyond simple error disclosure — it can expose authentication tokens used internally by web applications and backend services.

“This problem potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing.”

Such leakage could allow attackers to impersonate users, pivot deeper into networks, or compromise backend systems relying on Squid as a reverse proxy.

Given Squid’s popularity in enterprise and ISP environments, where it often serves as a gateway for multiple backend web services, the potential for wide-scale credential compromise makes this vulnerability particularly concerning.

The flaw specifically affects systems where debug information is embedded in administrator mailto links via the email_err_data directive.

Administrators can test if their configuration is vulnerable using the following command:

squid -k parse 2>&1 | grep "email_err_data"

The project clarifies:

“All Squid up to and including 7.1 with email_err_data on are vulnerable. All Squid up to and including 7.1 without email_err_data are vulnerable.”

In other words, unless administrators have explicitly disabled the email_err_data feature, their deployments may be leaking sensitive data through error responses.

The issue has been fully addressed in Squid version 7.2, which implements robust credential redaction in all error handling functions. In addition, the maintainers have published a direct code patch for administrators unable to immediately upgrade.

For immediate mitigation, the project recommends disabling the problematic feature entirely:

“Disable debug information in administrator mailto links generated by Squid. By configuring squid.conf with: email_err_data off.”

Related Posts:

• Squid Werewolf APT Masquerades as Recruiters in Espionage Campaign Targeting Key Employees
• Squid Web Proxy: Revealing Critical Vulnerabilities
• Security Alert: Squid Proxy’s Unresolved Vulnerabilities
• Stack-Based Buffer Overflow in Squid Could Let Hackers Execute Arbitrary Code
• Denial-of-Service Vulnerability Found in Squid Proxy Server (CVE-2024-45802)