Wiz
Vulnerability DatabaseCVE-2025-62168

CVE-2025-62168
Squid vulnerability analysis and mitigation

Overview

A critical vulnerability (CVE-2025-62168) with a CVSS score of 10.0 was discovered in Squid, a widely used open-source caching proxy for web traffic acceleration. The vulnerability affects all Squid versions up to and including 7.1, stemming from a failure to redact HTTP authentication credentials during error handling. The flaw was discovered by Leonardo Giovannini of Doyensec and was officially disclosed on October 17, 2025 (Security Online, GitHub Advisory).

Technical details

The vulnerability occurs when Squid's error page handling mechanism inadvertently includes sensitive HTTP authentication data in returned responses. The flaw specifically affects systems where debug information is embedded in administrator mailto links via the emailerrdata directive. The issue is particularly concerning as it affects all installations with emailerrdata enabled and even those without explicit HTTP Authentication configuration. The vulnerability has been assigned CWE-209 (Generation of Error Message Containing Sensitive Information) and CWE-550 (Server-generated Error Message Containing Sensitive Information) classifications (GitHub Advisory).

Impact

The vulnerability allows attackers to bypass browser security protections and obtain credentials used by trusted clients for authentication. It can expose authentication tokens used internally by web applications and backend services, particularly in environments where Squid is used for backend load balancing. This exposure could enable attackers to impersonate users, pivot deeper into networks, or compromise backend systems relying on Squid as a reverse proxy (Security Online).

Mitigation and workarounds

The vulnerability has been fully addressed in Squid version 7.2, which implements robust credential redaction in all error handling functions. For immediate mitigation, administrators can disable debug information in administrator mailto links by configuring squid.conf with 'emailerrdata off'. The project has also published a direct code patch (0951a06) for administrators unable to immediately upgrade (GitHub Advisory).

Additional resources

SourceThis report was generated using AI

Related Squid vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-54574CRITICAL9.8
  • SquidSquid
  • squid-debuginfo
NoYesAug 01, 2025
CVE-2025-62168HIGH7.5
  • SquidSquid
  • libecap-devel
NoYesOct 17, 2025
CVE-2024-45802HIGH7.5
  • SquidSquid
  • squid-debuginfo
NoYesOct 28, 2024
CVE-2024-37894MEDIUM6.3
  • SquidSquid
  • squid:4::libecap
NoYesJun 25, 2024
CVE-2025-59362MEDIUM4
  • SquidSquid
  • squid-sysvinit
NoYesSep 26, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo