GHSA-c2c3-pqw5-5p7c: Input Validation

First published: Tue Apr 01 2025(Updated: )

### Summary The PROXY command is accepted multiple times, allowing a client to spoof its IP address when the proxy protocol is being used. ### Details When ProxyOn is enabled, [it looks like the PROXY command will be accepted multiple times](https://github.com/phires/go-guerrilla/blob/fca3b2d8957a746997c7e71fca39004f5c96e91f/server.go#L495), with later invocations overriding earlier ones. The proxy protocol only supports one initial PROXY header; anything after that is considered part of the exchange between client and server, so the client is free to send further PROXY commands with whatever data it pleases. go-guerrilla will treat these as coming from the reverse proxy, allowing a client to spoof its IP address. Note that the format of the PROXY header is [well-defined](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt). It probably shouldn't be treated as an SMTP command; parsing it the same way is likely to result in odd behavior and could lead to other vulnerabilities. ### PoC I'm working on writing a PR to fix this vulnerability. It'll include a unit test that will serve as a PoC on the current version. ### Impact Any instance with `ProxyOn` enabled (`proxyon` in the JSON config) is affected. As far as I'm able to tell, the impact is limited to spoofing the `RemoteIP` field. This isn't ideal, but it probably has less practical impact on an MTA than, say, a web server.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/weakness
• agent/source
• agent/last-modified-date
• agent/softwarecombine
• agent/references
• agent/type
• agent/severity
• agent/first-publish-date
• agent/description
• agent/event
• agent/tags
• collector/github-advisory-latest
• source/GitHub
• alias/GHSA-c2c3-pqw5-5p7c
• alias/CVE-2025-31135
• agent/software-canonical-lookup
• package-manager/go