Squid developers have announced and remedied a serious vulnerability that allows HTTP authentication information and security tokens to leak when the software creates a faulty page. The vulnerability, CVE-2025-62168, assessed by CVSS 10.0, arises because Squid failed to remove authentication data from the response content in some instances of error processing, causing sensitive data to be revealed to third parties via proxy-generated error pages.

Squid.png

The problem is directly related to the mechanism of attaching debug information to the mailto link for administrators, which is controlled by the emailerr data configuration parameter. When this option is active, Squids may inadvertently attach internal authentication or token information to the error page. The attacker can exploit this with code designed to cross the browser barrier and extract the data that appears in the error response.

According to the development team, CVE-2025-62168 affects all versions of Squid up to 7.1, depending on system configuration. As Squids are often deployed as reverse proxies or gateway for multiple backend services, the risk of spreading beyond a single server can affect internal services, allowing user impersonation, horizontal movement within the network, or the overriding of components behind the proximal proxy.

Squid released a correction in version 7.2, in which the bug handling mechanism was updated to delete all authentication data before returning it to the client. The project also provides source code patches for environments that cannot be upgraded immediately. An interim measure for the administrator is to disable the insertion of debug information into the administrator link by setting emailerr_data off in squid.conf. The administrator can check the configuration with the following command:

Code:
squid -k parse 2> &1 | grep "emailerr data"

Since CVE-2025-62168 can be exploited without special permission, public or intranet Squid deployments need to be reviewed urgently. As an intermediary between users and web applications, even a small error in the exception processing can disable the entire authentication mechanism, turning the proxy system into a critical leak of information.

Operators are advised to check the entire Squid colony in the infrastructure, implement the latest patch, or temporarily disable the affected feature. Also, it is necessary to review the backend services to assess the risk of token leakage. For systems that used to display debugging information on the debug page, changes to all potentially exposed tokens should be made and surveillance of unusual access activities should be strengthened.

CVE-2025-62168 again shows the risk from seemingly minor errors in the error-processing mechanism. When authentication data is not properly protected, the intermediate layer such as the proxy can become the weakest link in the defense chain. For organizations that use Squid on a large scale, a delayed patch or misconfiguration that only happens once is sufficient to open the attacker’s access to the internal system.

According to Security Online