{"id":"CVE-2025-62168","summary":"Squid vulnerable to information disclosure via authentication credential leakage in error handling","details":"Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.","aliases":["GHSA-c8cc-phh7-xmxr"],"modified":"2026-04-27T10:32:49.183002Z","published":"2025-10-17T16:21:30.156Z","related":["ALSA-2025:19107","ALSA-2025:20935","ALSA-2025:21002","SUSE-SU-2025:3902-1","SUSE-SU-2025:4026-1","SUSE-SU-2025:4029-1","SUSE-SU-2025:4099-1","SUSE-SU-2026:20078-1","openSUSE-SU-2025:15715-1","openSUSE-SU-2026:20027-1"],"database_specific":{"cwe_ids":["CWE-209","CWE-550"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62168.json"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2025/11/05/6"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62168.json"},{"type":"ADVISORY","url":"https://github.com/squid-cache/squid/security/advisories/GHSA-c8cc-phh7-xmxr"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62168"},{"type":"FIX","url":"https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/squid-cache/squid","events":[{"introduced":"0"},{"fixed":"47319f017296369466edd21bccc64d194598da5a"},{"fixed":"0951a0681011dfca3d78c84fd7f1e19c78a4443f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"7.2"}]}}],"versions":["4.15-20210522-snapshot","4.15-20210523-snapshot","4.15-20210524-snapshot","4.15-20210525-snapshot","4.15-20210527-snapshot","5.0.6-20210522-snapshot","5.0.6-20210523-snapshot","5.0.6-20210524-snapshot","5.0.6-20210525-snapshot","5.0.6-20210527-snapshot","6.0.0-20210522-master-snapshot","6.0.0-20210523-master-snapshot","6.0.0-20210524-master-snapshot","6.0.0-20210525-master-snapshot","6.0.0-20210527-master-snapshot","HISTORIC_RELEASES","M-staged-PR161","M-staged-PR164","M-staged-PR170","M-staged-PR176","M-staged-PR179","M-staged-PR181","M-staged-PR182","M-staged-PR186","M-staged-PR189","M-staged-PR193","M-staged-PR195","M-staged-PR196","M-staged-PR198","M-staged-PR199","M-staged-PR200","M-staged-PR202","M-staged-PR206","M-staged-PR208","M-staged-PR209","M-staged-PR210","M-staged-PR218","M-staged-PR220","M-staged-PR221","M-staged-PR225","M-staged-PR227","M-staged-PR229","M-staged-PR230","M-staged-PR235","M-staged-PR237","M-staged-PR238","M-staged-PR239","M-staged-PR241","M-staged-PR242","M-staged-PR252","M-staged-PR255","M-staged-PR258","M-staged-PR264","M-staged-PR266","M-staged-PR267","M-staged-PR268","M-staged-PR274","M-staged-PR276","M-staged-PR293","M-staged-PR294","M-staged-PR295","M-staged-PR299","M-staged-PR306","M-staged-PR314","M-staged-PR319","M-staged-PR342","M-staged-PR345","M-staged-PR348","M-staged-PR351","M-staged-PR359","M-staged-PR364","M-staged-PR365","M-staged-PR366","M-staged-PR370","M-staged-PR372","M-staged-PR373","M-staged-PR375","M-staged-PR376","SQUID_3_0_PRE1","SQUID_3_0_PRE2","SQUID_3_0_PRE3","SQUID_3_0_PRE4","SQUID_3_0_PRE5","SQUID_3_0_PRE6","SQUID_3_0_PRE7","SQUID_3_0_RC1","SQUID_3_5_27","SQUID_4_0_1","SQUID_4_0_10","SQUID_4_0_11","SQUID_4_0_12","SQUID_4_0_13","SQUID_4_0_14","SQUID_4_0_15","SQUID_4_0_16","SQUID_4_0_2","SQUID_4_0_3","SQUID_4_0_4","SQUID_4_0_5","SQUID_4_0_6","SQUID_4_0_7","SQUID_4_0_8","SQUID_4_0_9","SQUID_7_0_1","SQUID_7_0_2","SQUID_7_1","take00"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-62168.json","vanir_signatures":[{"id":"CVE-2025-62168-0626ac7e","signature_version":"v1","signature_type":"Function","source":"https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f","target":{"function":"clientReplyContext::traceReply","file":"src/client_side_reply.cc"},"digest":{"length":519,"function_hash":"327777053511069614100768595447467169557"},"deprecated":false},{"id":"CVE-2025-62168-06b18bf1","signature_version":"v1","signature_type":"Function","source":"https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f","target":{"function":"ErrorState::compileLegacyCode","file":"src/errorpage.cc"},"digest":{"length":6766,"function_hash":"223393699816959158153041716773649096081"},"deprecated":false},{"id":"CVE-2025-62168-0f4afcb1","signature_version":"v1","signature_type":"Line","source":"https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f","target":{"file":"src/client_side_reply.cc"},"digest":{"line_hashes":["330079626216983299346319282789588783393","99536952372208532581533763674629013439","84464677960065060430487142461920381007","189422918959754237161340880122934813379","334676105343781249739851979182455721899","161960470368651605046960689044185620012","82337303492731924333263763390494726976","16617751422924729520036878086927693091","125273514181046216235845047567827882917","197986916738101401788913218546595376877","195683800932925076744946768351203205823","89500157157634256682350323965279218791","223224762111926895939179438283809802355","318804591450246526461169288817516739930","124797948367594300721061304620897118022","315412529450819247568495619715473999582","251752150260384581782488549897792607777","288048714456402902670763645807465336534"],"threshold":0.9},"deprecated":false},{"id":"CVE-2025-62168-1609a26c","signature_version":"v1","signature_type":"Line","source":"https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f","target":{"file":"src/HttpRequest.h"},"digest":{"line_hashes":["48249970213127052476692123339404249387","23210683955670495681813925940210783768","31410642863208108351657732069860153360","21750396420790169326381846951660026255"],"threshold":0.9},"deprecated":false},{"id":"CVE-2025-62168-23b8062a","signature_version":"v1","signature_type":"Function","source":"https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f","target":{"function":"ErrorState::Dump","file":"src/errorpage.cc"},"digest":{"length":1451,"function_hash":"296994947859421361316567431556731963747"},"deprecated":false},{"id":"CVE-2025-62168-2cc84e10","signature_version":"v1","signature_type":"Function","source":"https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f","target":{"function":"HttpRequest::pack","file":"src/HttpRequest.cc"},"digest":{"length":320,"function_hash":"306257554989896350600461858124452392608"},"deprecated":false},{"id":"CVE-2025-62168-52bd77ac","signature_version":"v1","signature_type":"Line","source":"https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f","target":{"file":"src/errorpage.cc"},"digest":{"line_hashes":["272973159026035672876319060740702432136","275567706527222419870904455846139545512","182476390616691418709371087849344885","14175472231678874213252500129668194514","132606143200006266908282491039648670432","317390686196317057267930904157428759091","107728487872652795674991630616869168080","204342284197145843353369149636606796514","147051383532699138001766067756230264668","196416326470648265569878806786004517314","91499281048218063695817353562112862267","259660261571930952660586771733579124347","332297868249297743121564335921123091610","15240647121118551685026373237294752037","254045675033858377989629266106479233859","292164418073743176844906936340783295965","318214153731623090490923765147276298280","81413023514986186690823167093550271853","111495361489110509256356200806299923880","178572140369819662473714958058366662585","55677179894432956756970986458270807170","243749876232182947922257577827246724584","304104966907259142416953967993479777888"],"threshold":0.9},"deprecated":false},{"id":"CVE-2025-62168-7264ca6d","signature_version":"v1","signature_type":"Line","source":"https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f","target":{"file":"src/tests/stub_HttpRequest.cc"},"digest":{"line_hashes":["319628864638996233576040037683439836068","235689941047998612515554073966651476498","157821449190967625544281066808262964558","286138395319723657978434809546053764065"],"threshold":0.9},"deprecated":false},{"id":"CVE-2025-62168-98ad54a3","signature_version":"v1","signature_type":"Function","source":"https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f","target":{"function":"ErrorState::~ErrorState","file":"src/errorpage.cc"},"digest":{"length":440,"function_hash":"319525920836719022175801197013059394515"},"deprecated":false},{"id":"CVE-2025-62168-dea9b74b","signature_version":"v1","signature_type":"Line","source":"https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f","target":{"file":"src/errorpage.h"},"digest":{"line_hashes":["234319771326960497305858262692665464581","313900222983792197615514199201858887582","7051046443802222357711021471833530143","130357362660381162472516289331575203400"],"threshold":0.9},"deprecated":false},{"id":"CVE-2025-62168-e4abf7f3","signature_version":"v1","signature_type":"Line","source":"https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f","target":{"file":"src/HttpRequest.cc"},"digest":{"line_hashes":["93816443296761512862670098502667722492","54915514561115145443806135933830514105","244088937199770750281711899065074353911","164967647240795652974566680634868295484","113149346552744538682618741743081408310","279531468366383736788411606699547275014","155586136457317076102712412659773568376","275051774967319523081495527395460721115"],"threshold":0.9},"deprecated":false}],"vanir_signatures_modified":"2026-04-27T10:32:49Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"}]}