Critical Information Disclosure Vulnerability in Squid Proxy via Error Handling (CVE-2025-62168)
A critical vulnerability, tracked as CVE-2025-62168, has been identified in Squid, a widely used web caching proxy. This flaw, which carries a maximum CVSS score of 10.0, allows for the leakage of HTTP authentication credentials and security tokens through improper error handling. The vulnerability affects all Squid versions prior to 7.2, where a failure to redact sensitive information in error messages can result in information disclosure. Attackers can exploit this issue remotely, enabling them to bypass browser security protections and obtain credentials used by trusted clients. The vulnerability does not require Squid to be configured with HTTP authentication, broadening the potential attack surface. Scripts can leverage this flaw to extract credentials or security tokens that are used internally by web applications relying on Squid for backend load balancing. The risk is particularly severe for organizations using Squid as a reverse proxy or in environments where sensitive authentication data is transmitted. The vulnerability was disclosed publicly in October 2025, with security advisories highlighting the ease of remote exploitation. Administrators are urged to upgrade to Squid version 7.2, which contains the necessary fix to address this issue. As a temporary mitigation, disabling debug information in administrator mailto links by setting 'email_err_data off' in the squid.conf configuration file is recommended. The vulnerability's critical rating underscores the urgency for immediate remediation to prevent potential credential theft and unauthorized access. Security researchers emphasize that the flaw could be used in targeted attacks against organizations with exposed Squid proxies. The issue was reported through security advisories and has been acknowledged by the Squid development team. Organizations are advised to review their proxy configurations and apply the patch as soon as possible. The vulnerability highlights the importance of proper error handling and redaction of sensitive data in security-critical infrastructure. Failure to address this flaw could result in significant data breaches or compromise of internal systems. The disclosure has prompted widespread attention in the cybersecurity community, with multiple advisories and technical analyses published to assist defenders. The incident serves as a reminder of the risks associated with misconfigured or outdated proxy services in enterprise environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Workaround documented for credential leakage flaw
Alongside disclosure of CVE-2025-62168, a mitigation was documented for affected deployments: disable debug information in administrator mailto links by setting "email_err_data off" in squid.conf. The workaround reduces exposure for versions prior to 7.2.
Squid fixes CVE-2025-62168 in version 7.2
Squid addressed a critical information disclosure flaw, CVE-2025-62168, in version 7.2. The bug allowed HTTP authentication credentials and internal security tokens to leak through error handling when credentials were not properly redacted.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Critical Squid Proxy Flaw (CVE-2025-62168, CVSS 10.0) Leaks HTTP Credentials and Security Tokens via Error Handling
securityonline.info
Open sourceCVE-2025-62168 - Squid vulnerable to information disclosure via authentication credential leakage in error handling
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Squid ICP Flaws Expose Proxies to DoS and Memory Disclosure
Squid disclosed three security issues in its Internet Cache Protocol (ICP) request handling, including **CVE-2026-33515**, an out-of-bounds read that can leak small amounts of process memory in error responses to malformed ICP requests. The memory disclosure bug affects Squid versions **3.0 through 7.4** when ICP support is explicitly enabled with a non-zero `icp_port`, and the project said `icp_access` rules do not mitigate the issue. The flaw was reported and fixed by Joshua Rogers of ZeroPath and Alex Rousskov of The Measurement Factory. The advisories also include **SQUID-2026:1** and **SQUID-2026:2**, both describing denial-of-service conditions in ICP request handling, indicating a broader weakness in how Squid processes ICP traffic. Squid said the memory disclosure issue is fixed in **version 7.5**, and it published a patch for supported **7.x** stable releases; administrators that cannot patch were advised to disable ICP or set `icp_port 0` to remove exposure.
May 25, 2026
Squid Proxy Patches Squidbleed Memory Leak and Cache Digest Buffer Overflow
Squid maintainers released **Squid 7.6** to fix two severe vulnerabilities, including **"Squidbleed"** tracked as `CVE-2026-47729`, a heap out-of-bounds read in the proxy's FTP gateway code. The flaw can be triggered when Squid parses a malformed FTP `LIST` response from an attacker-controlled or misbehaving FTP server, causing memory disclosure from reused 4 KB buffers that may contain stale data from unrelated sessions, including HTTP `Authorization` headers. Reports said the issue affects Squid's default configuration because FTP support is enabled by default and TCP port `21` is permitted by the default `Safe_ports` ACL, although exploitation depends on the proxy being able to reach the hostile FTP server and is most relevant to cleartext HTTP or TLS-terminating proxy deployments. The update also fixes `CVE-2026-50012`, a heap-based buffer overflow caused by malicious replies to `cache_digest` requests from a trusted server in builds compiled with `--enable-cache-digests`. That bug can crash Squid and may allow arbitrary code execution. The FTP parsing bug was patched by adding a null-terminator check before `strchr`, and administrators were urged to upgrade immediately to **Squid 7.6**; guidance also recommended disabling FTP support entirely unless it is explicitly required.
Jun 22, 2026
Squid ICP Use-After-Free Flaws Enable Remote Denial of Service
Two high-severity vulnerabilities, **CVE-2026-32748** and **CVE-2026-33526**, were disclosed in **Squid** that allow remote denial-of-service attacks through malformed **Internet Cache Protocol (ICP)** traffic. The flaws stem from heap **use-after-free** conditions in both ICP response and ICP request handling, with one advisory also citing premature resource release. Affected systems are Squid deployments running versions prior to **7.5**. The bugs are only exploitable where administrators have explicitly enabled ICP by setting a non-zero `icp_port`, and the advisories warn that `icp_access` rules do **not** mitigate the issue. Squid **7.5** contains the fixes, and the disclosures reference upstream patches, a GitHub security advisory, and an Openwall `oss-security` post. Organizations using Squid with ICP enabled should prioritize upgrading and review whether ICP is necessary in exposed environments.
Mar 26, 2026