{"id":"AZL-68562","summary":"CVE-2025-62168 affecting package squid for versions less than 6.13-3","details":"Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.","modified":"2026-04-01T05:21:26.992468Z","published":"2025-10-17T17:15:49Z","upstream":["CVE-2025-62168"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62168"}],"affected":[{"package":{"name":"squid","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/squid"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.13-3"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-68562.json"}}],"schema_version":"1.7.5"}