{"id":"AZL-68589","summary":"CVE-2025-62168 affecting package squid 5.7-5","details":"Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.","modified":"2026-04-01T05:21:27.487624Z","published":"2025-10-17T17:15:49Z","upstream":["CVE-2025-62168"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62168"}],"affected":[{"package":{"name":"squid","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/squid"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"5.7-5"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-68589.json"}}],"schema_version":"1.7.5"}