Critical Vulnerability in Squid Web Proxy (CVE-2025-62168)
Executive Summary
On October 17th, open-source web proxy project Squid published an advisory concerning an information disclosure vulnerability in their popular Squid proxy software. The vulnerability can be leveraged to reveal confidential, internal authentication material to unauthorized parties. The vulnerability was also assigned the highest possible CVSS risk score of 10.0. Squid proxies are commonly deployed internet facing by design, and compromised authentication material could grant threat actors initial access into an organization’s network.
The vulnerability appears to be in code dealing with error-handling functionality, specifically program logic that handles redactions of sensitive information when displaying or reporting diagnostic error messages.
The bug was found by a researcher at a legitimate cybersecurity company, reported to the Squid organization, and patched via normal update processes. There are no detailed technical writeups of the bug or public proof-of-concept (PoC) exploits available at time of writing. The source code and fix are, however, publicly available and Beazley Security expects threat actors to have enough understanding of the bug to have weaponized exploits in the coming days.
Affected organizations should apply security patches as soon as possible.
Affected Systems and Products
Squid proxy software versions 7.1 and below are affected by this vulnerability. Please see the table below and the Mitigations and Workarounds section for recommendations if updates cannot be applied.
Mitigations and Workarounds
The Squid software organization has noted that if patches cannot be immediately applied, the affected debug functionality can be disabled as a workaround.
In squid.conf, include the following:
email_err_data offPatches
Patches have already been made available to the official source code repository at https://github.com/squid-cache.
Technical Details
The Squid organization did not provide a detailed writeup of the vulnerability in their advisory, but the software is open source, and the code fix and related commentary can be viewed in the GitHub commit.
According to those comments, logic to filter out sensitive information had been implemented, but it was missing elements. The proposed fixes add objects to mask sensitive data. Additionally, the configuration switch to add detailed error data to outgoing ‘mailto links’ was set to disabled by default.
How Beazley Security is Responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.
Sources
Aware of an incident impacting your industry? Let us know: