CVE-2025-31135

Name of the Vulnerable Software and Affected Versions Go-Guerrilla SMTP Daemon versions prior to 1.6.7

Description The issue allows a client to spoof its IP address when the proxy protocol is being used. This occurs because the PROXY command is accepted multiple times, with later invocations overriding earlier ones. The proxy protocol only supports one initial PROXY header, and any subsequent PROXY commands are treated as part of the exchange between the client and server, enabling the client to send further PROXY commands with arbitrary data. This is then treated by go-guerrilla as coming from the reverse proxy.

Recommendations For Go-Guerrilla SMTP Daemon versions prior to 1.6.7, update to version 1.6.7 to resolve the issue. As a temporary workaround, consider disabling the ProxyOn feature until a patch is available. Restrict access to instances with ProxyOn enabled to minimize the risk of exploitation. Avoid using the PROXY command in the affected protocol until the issue is resolved.