CVE-2025-62168

Name of the Vulnerable Software and Affected Versions Squid versions prior to 7.2 Squid versions 3.x through 3.5.28 Squid versions 4.x through 4.17 Squid versions 5.x through 5.9 Squid versions 6.x through 6.14 Squid versions 7.x through 7.1

Description Squid, a caching proxy for the Web, contains a flaw where it fails to redact HTTP authentication credentials in error handling. This allows an attacker to potentially bypass browser security protections and obtain sensitive information, such as credentials or security tokens, used by trusted clients. The issue does not require HTTP authentication to be configured. The vulnerability is related to the email err data parameter. Approximately 40 million to 47.2 million instances are estimated to be vulnerable worldwide. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing.

Recommendations For versions prior to 7.2, update to version 7.2 or later. As a workaround for versions prior to 7.2, disable debug information in administrator mailto links by configuring email err data off in the squid.conf file.