CVE-2025-62168 is a critical information disclosure vulnerability affecting Squid, a widely used caching proxy server, in versions prior to 7.2. The root cause is the failure to properly redact HTTP authentication credentials in error messages generated during failure handling. This vulnerability allows a remote attacker to craft requests that cause Squid to generate error responses containing sensitive authentication credentials or security tokens used by trusted clients. Notably, exploitation does not require Squid to be configured with HTTP authentication, broadening the scope of affected deployments. The vulnerability enables attackers to bypass browser security protections, potentially exposing credentials that could be used for further attacks against backend web applications or services behind Squid. The vulnerability is classified under CWE-209 (Generation of Error Message Containing Sensitive Information) and CWE-550 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 10.0, reflecting a network attack vector, no required privileges or user interaction, complete confidentiality and integrity impact, and a scope change. Although no known exploits are reported in the wild yet, the criticality and ease of exploitation make this a high-risk threat. The issue is resolved in Squid 7.2. As an interim mitigation, administrators can disable debug information in error emails by setting 'email_err_data off' in squid.conf to prevent leakage of sensitive data in administrator mailto links.

The vulnerability poses a severe risk to organizations using Squid as a caching proxy or backend load balancer, especially those handling sensitive authentication credentials or security tokens. Successful exploitation can lead to unauthorized disclosure of credentials, enabling attackers to impersonate trusted clients or escalate privileges within internal networks. This compromises confidentiality and integrity of protected resources and may facilitate further lateral movement or data breaches. Since no authentication or user interaction is required, attackers can remotely exploit this vulnerability at scale. The exposure of internal security tokens can undermine the security of backend web applications, potentially leading to unauthorized access or data exfiltration. Organizations relying on Squid for critical infrastructure, including government, financial, healthcare, and large enterprise environments, face significant operational and reputational risks if this vulnerability is exploited.

1. Upgrade Squid to version 7.2 or later immediately, as this version contains the official fix for the vulnerability. 2. Until patching is possible, configure Squid to disable debug information in administrator mailto links by adding 'email_err_data off' in the squid.conf file to prevent sensitive data leakage in error messages. 3. Review and restrict access to Squid error logs and administrative interfaces to trusted personnel only. 4. Monitor network traffic and logs for unusual or suspicious requests that may attempt to trigger error messages containing credentials. 5. Implement network segmentation to limit exposure of Squid servers to untrusted networks. 6. Conduct regular security assessments and penetration tests focusing on proxy servers and backend load balancers to detect similar misconfigurations or vulnerabilities. 7. Educate administrators about the risks of verbose error messages and the importance of secure error handling practices.