CVE-2025-62168

CVE-2025-62168 is an information disclosure vulnerability in Squid, an open-source caching proxy for the web, affecting versions prior to 7.2. The issue stems from a failure to redact HTTP authentication credentials during error handling, which exposes these credentials in generated error messages. This flaw, associated with CWE-209 (Generation of Error Message Containing Sensitive Information) and CWE-550 (Information Exposure Through Directory Listing), carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N), indicating critical severity due to its network accessibility, low complexity, lack of privileges or user interaction required, and high impacts on confidentiality and integrity with scope expansion.

Remote attackers can exploit this vulnerability without needing Squid to be configured for HTTP authentication. By triggering an error condition, an attacker-controlled script can bypass browser security protections, such as same-origin policy, to extract authentication credentials used by a trusted client. This enables a remote client to learn security tokens or internal credentials employed by web applications that use Squid for backend load balancing, potentially compromising application authentication mechanisms.

The vulnerability is fixed in Squid version 7.2, as detailed in the official GitHub commit (0951a0681011dfca3d78c84fd7f1e19c78a4443f) and security advisory (GHSA-c8cc-phh7-xmxr). A workaround involves disabling debug information in administrator mailto links by adding "email_err_data off" to squid.conf, as noted in the OSS-security mailing list announcement. Security practitioners should upgrade to version 7.2 or apply the workaround and monitor for anomalous error responses.