CVE-2025-31135: Go-Guerrilla SMTP Daemon allows the PROXY command to be sent multiple times

April 1, 2025 (updated April 2, 2025)

The PROXY command is accepted multiple times, allowing a client to spoof its IP address when the proxy protocol is being used.

References

github.com/advisories/GHSA-c2c3-pqw5-5p7c
github.com/phires/go-guerrilla
github.com/phires/go-guerrilla/commit/7673947f2d5204a135d7ae0b7f80759e548abee6
github.com/phires/go-guerrilla/security/advisories/GHSA-c2c3-pqw5-5p7c
nvd.nist.gov/vuln/detail/CVE-2025-31135

Code Behaviors & Features

Detect and mitigate CVE-2025-31135 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →