logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-31135 github.com/phires/go-guerrilla

Package

Manager: go
Name: github.com/phires/go-guerrilla
Vulnerable Version: >=0 <1.6.7

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00055 pctl0.17308

Details

Go-Guerrilla SMTP Daemon allows the PROXY command to be sent multiple times ### Summary The PROXY command is accepted multiple times, allowing a client to spoof its IP address when the proxy protocol is being used. ### Details When ProxyOn is enabled, [it looks like the PROXY command will be accepted multiple times](https://github.com/phires/go-guerrilla/blob/fca3b2d8957a746997c7e71fca39004f5c96e91f/server.go#L495), with later invocations overriding earlier ones. The proxy protocol only supports one initial PROXY header; anything after that is considered part of the exchange between client and server, so the client is free to send further PROXY commands with whatever data it pleases. go-guerrilla will treat these as coming from the reverse proxy, allowing a client to spoof its IP address. Note that the format of the PROXY header is [well-defined](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt). It probably shouldn't be treated as an SMTP command; parsing it the same way is likely to result in odd behavior and could lead to other vulnerabilities. ### PoC I'm working on writing a PR to fix this vulnerability. It'll include a unit test that will serve as a PoC on the current version. ### Impact Any instance with `ProxyOn` enabled (`proxyon` in the JSON config) is affected. As far as I'm able to tell, the impact is limited to spoofing the `RemoteIP` field. This isn't ideal, but it probably has less practical impact on an MTA than, say, a web server.

Metadata

Created: 2025-04-01T22:23:49Z
Modified: 2025-04-02T00:49:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-c2c3-pqw5-5p7c/GHSA-c2c3-pqw5-5p7c.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-c2c3-pqw5-5p7c
Finding: F184
Auto approve: 1