Warning: Critical vulnerability in Squid discloses credentials and security tokens. Patch Immediately!

• Last update: 21/10/2025
• Affected software: Squid <7.2
• Type: Generation of Error Message Containing Sensitive Information
• CVE/CVSS
  → CVE-2025-62168: CVSS 10.6 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N)

Sources

Vendor - https://github.com/squid-cache/squid/security/advisories/GHSA-c8cc-phh7-xmxr

Risks

Due to a failure to redact HTTP Authentication credentials, Squid is vulnerable to an Information Disclosure attack.

This problem allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate.

This problem potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing.

These attacks do not require Squid to be configured with HTTP Authentication.

Description

In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.

https://github.com/squid-cache/squid/releases/tag/SQUID_7_2

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.