Cyber Resilience

CVE-2025-62168

Critical

Published: 17 October 2025

Published
17 October 2025
Modified
05 November 2025
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.2056 95.7th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-62168 is a critical-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Squid-Cache Squid. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-62168 is an information disclosure vulnerability in Squid, an open-source caching proxy for the web, affecting versions prior to 7.2. The issue stems from a failure to redact HTTP authentication credentials during error handling, which exposes these credentials in generated error messages. This flaw, associated with CWE-209 (Generation of Error Message Containing Sensitive Information) and CWE-550 (Information Exposure Through Directory Listing), carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N), indicating critical severity due to its network accessibility, low complexity, lack of privileges or user interaction required, and high impacts on confidentiality and integrity with scope expansion.

Remote attackers can exploit this vulnerability without needing Squid to be configured for HTTP authentication. By triggering an error condition, an attacker-controlled script can bypass browser security protections, such as same-origin policy, to extract authentication credentials used by a trusted client. This enables a remote client to learn security tokens or internal credentials employed by web applications that use Squid for backend load balancing, potentially compromising application authentication mechanisms.

The vulnerability is fixed in Squid version 7.2, as detailed in the official GitHub commit (0951a0681011dfca3d78c84fd7f1e19c78a4443f) and security advisory (GHSA-c8cc-phh7-xmxr). A workaround involves disabling debug information in administrator mailto links by adding "email_err_data off" to squid.conf, as noted in the OSS-security mailing list announcement. Security practitioners should upgrade to version 7.2 or apply the workaround and monitor for anomalous error responses.

EU & UK References

Vulnerability details

Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the…

more

credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
Why these techniques?

The vulnerability in Squid leads to information disclosure of HTTP authentication credentials via unredacted error messages, enabling adversaries to exploit it for credential access.

CVEs Like This One

CVE-2026-32748Same product: Squid-Cache Squid
CVE-2026-33526Same product: Squid-Cache Squid
CVE-2025-54574Same product: Squid-Cache Squid
CVE-2024-12380Shared CWE-209
CVE-2023-38010Shared CWE-209
CVE-2025-71282Shared CWE-209
CVE-2025-22218Shared CWE-209
CVE-2025-13726Shared CWE-209
CVE-2025-46658Shared CWE-209
CVE-2025-31141Shared CWE-209

Affected Assets

squid-cache
squid
≤ 7.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-11 requires error handling that avoids disclosing sensitive information such as HTTP authentication credentials in Squid's error messages.

prevent

SI-2 mandates timely flaw remediation, directly addressing the need to upgrade Squid to version 7.2 to fix the credential disclosure vulnerability.

prevent

CM-6 enforces secure configuration settings like 'email_err_data off' in squid.conf as a workaround to prevent exposure of credentials in error outputs.

References