Introduction
Sensitive HTTP credentials can leak to attackers through a single misconfigured proxy error page. CVE-2025-62168 exposes a critical flaw in Squid Proxy that allows remote parties to extract authentication credentials from error messages, impacting both forward and reverse proxy deployments at scale.
About Squid: Squid is a major open-source caching proxy used globally for web acceleration, access control, and content filtering. It is deployed by enterprises, ISPs, and cloud providers, with millions of active instances. Squid's flexibility and performance make it a backbone for web infrastructure in many organizations.
Technical Information
CVE-2025-62168 is caused by Squid's failure to properly redact HTTP authentication credentials in error handling routines. When Squid encounters an error processing a client's HTTP request, it generates an error page. By default, if the email_err_data directive is enabled (which it is in all affected versions), Squid embeds a mailto link in the error page. This link includes detailed debugging information about the failed request, including HTTP headers such as Authorization.
The vulnerability arises because Squid does not sanitize or remove sensitive credentials from these headers before including them in the error page. As a result, any remote client or script able to trigger an error condition can view the error page and extract credentials such as usernames, passwords, or bearer tokens used for authentication. This can occur even if Squid is not explicitly configured for HTTP authentication, as credentials may be present in proxied requests for other reasons (such as backend authentication in reverse proxy scenarios).
The root cause is insufficient sanitization in the error page generation code path. The issue is addressed in Squid 7.2, which ensures that sensitive headers are redacted before being included in error content.
Configuration Example
The vulnerable behavior is controlled by the following directive in squid.conf:
# Vulnerable default (prior to 7.2) email_err_data on
To mitigate, set:
email_err_data off
Affected Systems and Versions
- All Squid versions prior to 7.2 are affected
- 3.x up to and including 3.5.28
- 4.x up to and including 4.17
- 5.x up to and including 5.9
- 6.x up to and including 6.14
- 7.x up to and including 7.1
- Vulnerability is present regardless of whether Squid is configured for HTTP authentication
- Both forward and reverse proxy configurations are affected
- Systems with
email_err_data on(the default) are vulnerable
Vendor Security History
Squid has a history of information disclosure and denial of service vulnerabilities, often related to protocol parsing and error handling. Recent advisories include issues in Edge Side Includes (ESI) processing and HTTP header parsing. The project publishes transparent advisories and coordinates fixes for supported versions, but older branches may not receive backports. The open-source model means patch response is generally prompt for current releases.
References
- NVD entry for CVE-2025-62168
- Official CVE entry
- Squid Security Advisory GHSA-c8cc-phh7-xmxr
- Squid commit fixing CVE-2025-62168
- Squid documentation: email_err_data
- Netgate forum discussion
- CWE-209: Generation of Error Message Containing Sensitive Information
- CWE-550: Server-generated Error Message Containing Sensitive Information