CVE-2025-62168
Published: 17 October 2025
Summary
CVE-2025-62168 is a critical-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Squid-Cache Squid. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 38.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-11 requires error handling that avoids disclosing sensitive information such as HTTP authentication credentials in Squid's error messages.
SI-2 mandates timely flaw remediation, directly addressing the need to upgrade Squid to version 7.2 to fix the credential disclosure vulnerability.
CM-6 enforces secure configuration settings like 'email_err_data off' in squid.conf as a workaround to prevent exposure of credentials in error outputs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in Squid leads to information disclosure of HTTP authentication credentials via unredacted error messages, enabling adversaries to exploit it for credential access.
NVD Description
Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the…
more
credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.
Deeper analysisAI
CVE-2025-62168 is an information disclosure vulnerability in Squid, an open-source caching proxy for the web, affecting versions prior to 7.2. The issue stems from a failure to redact HTTP authentication credentials during error handling, which exposes these credentials in generated error messages. This flaw, associated with CWE-209 (Generation of Error Message Containing Sensitive Information) and CWE-550 (Information Exposure Through Directory Listing), carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N), indicating critical severity due to its network accessibility, low complexity, lack of privileges or user interaction required, and high impacts on confidentiality and integrity with scope expansion.
Remote attackers can exploit this vulnerability without needing Squid to be configured for HTTP authentication. By triggering an error condition, an attacker-controlled script can bypass browser security protections, such as same-origin policy, to extract authentication credentials used by a trusted client. This enables a remote client to learn security tokens or internal credentials employed by web applications that use Squid for backend load balancing, potentially compromising application authentication mechanisms.
The vulnerability is fixed in Squid version 7.2, as detailed in the official GitHub commit (0951a0681011dfca3d78c84fd7f1e19c78a4443f) and security advisory (GHSA-c8cc-phh7-xmxr). A workaround involves disabling debug information in administrator mailto links by adding "email_err_data off" to squid.conf, as noted in the OSS-security mailing list announcement. Security practitioners should upgrade to version 7.2 or apply the workaround and monitor for anomalous error responses.
Details
- CWE(s)