medium
5.3
CWE
20
EPSS
0.043%
Advisory Published
Advisory Published
Updated

CVE-2025-31135: Go-Guerrilla SMTP Daemon allows the PROXY command to be sent multiple times

First published: Tue Apr 01 2025(Updated: )

### Summary The PROXY command is accepted multiple times, allowing a client to spoof its IP address when the proxy protocol is being used. ### Details When ProxyOn is enabled, [it looks like the PROXY command will be accepted multiple times](https://github.com/phires/go-guerrilla/blob/fca3b2d8957a746997c7e71fca39004f5c96e91f/server.go#L495), with later invocations overriding earlier ones. The proxy protocol only supports one initial PROXY header; anything after that is considered part of the exchange between client and server, so the client is free to send further PROXY commands with whatever data it pleases. go-guerrilla will treat these as coming from the reverse proxy, allowing a client to spoof its IP address. Note that the format of the PROXY header is [well-defined](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt). It probably shouldn't be treated as an SMTP command; parsing it the same way is likely to result in odd behavior and could lead to other vulnerabilities. ### PoC I'm working on writing a PR to fix this vulnerability. It'll include a unit test that will serve as a PoC on the current version. ### Impact Any instance with `ProxyOn` enabled (`proxyon` in the JSON config) is affected. As far as I'm able to tell, the impact is limited to spoofing the `RemoteIP` field. This isn't ideal, but it probably has less practical impact on an MTA than, say, a web server.

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Go-Guerrilla SMTP Daemon<1.6.7
go/github.com/phires/go-guerrilla<1.6.7
1.6.7

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2025-31135?

    CVE-2025-31135 is considered a medium-severity vulnerability due to its impact on SMTP communication integrity.

  • How do I fix CVE-2025-31135?

    To mitigate CVE-2025-31135, upgrade Go-Guerrilla SMTP Daemon to version 1.6.7 or later.

  • What does CVE-2025-31135 affect?

    CVE-2025-31135 affects versions of Go-Guerrilla SMTP Daemon prior to 1.6.7 with the ProxyOn feature enabled.

  • What is the main issue with CVE-2025-31135?

    The main issue with CVE-2025-31135 is that multiple PROXY command invocations can lead to unintentional overwrites of previous settings.

  • Can CVE-2025-31135 lead to security risks?

    Yes, CVE-2025-31135 can lead to security risks by allowing potentially malicious proxy settings to override legitimate configurations.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203