ghsa-c2c3-pqw5-5p7c
Vulnerability from github
Published
2025-04-01 22:23
Modified
2025-04-02 00:49
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Go-Guerrilla SMTP Daemon allows the PROXY command to be sent multiple times
Details

Summary

The PROXY command is accepted multiple times, allowing a client to spoof its IP address when the proxy protocol is being used.

Details

When ProxyOn is enabled, it looks like the PROXY command will be accepted multiple times, with later invocations overriding earlier ones. The proxy protocol only supports one initial PROXY header; anything after that is considered part of the exchange between client and server, so the client is free to send further PROXY commands with whatever data it pleases. go-guerrilla will treat these as coming from the reverse proxy, allowing a client to spoof its IP address.

Note that the format of the PROXY header is well-defined. It probably shouldn't be treated as an SMTP command; parsing it the same way is likely to result in odd behavior and could lead to other vulnerabilities.

PoC

I'm working on writing a PR to fix this vulnerability. It'll include a unit test that will serve as a PoC on the current version.

Impact

Any instance with ProxyOn enabled (proxyon in the JSON config) is affected.

As far as I'm able to tell, the impact is limited to spoofing the RemoteIP field. This isn't ideal, but it probably has less practical impact on an MTA than, say, a web server.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/phires/go-guerrilla"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-31135"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-01T22:23:49Z",
    "nvd_published_at": "2025-04-01T22:15:21Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe PROXY command is accepted multiple times, allowing a client to spoof its IP address when the proxy protocol is being used.\n\n### Details\n\nWhen ProxyOn is enabled, [it looks like the PROXY command will be accepted multiple times](https://github.com/phires/go-guerrilla/blob/fca3b2d8957a746997c7e71fca39004f5c96e91f/server.go#L495), with later invocations overriding earlier ones.  The proxy protocol only supports one initial PROXY header; anything after that is considered part of the exchange between client and server, so the client is free to send further PROXY commands with whatever data it pleases.  go-guerrilla will treat these as coming from the reverse proxy, allowing a client to spoof its IP address.\n\nNote that the format of the PROXY header is [well-defined](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt).  It probably shouldn\u0027t be treated as an SMTP command; parsing it the same way is likely to result in odd behavior and could lead to other vulnerabilities.\n\n### PoC\n\nI\u0027m working on writing a PR to fix this vulnerability.  It\u0027ll include a unit test that will serve as a PoC on the current version.\n\n### Impact\n\nAny instance with `ProxyOn` enabled (`proxyon` in the JSON config) is affected.\n\nAs far as I\u0027m able to tell, the impact is limited to spoofing the `RemoteIP` field.  This isn\u0027t ideal, but it probably has less practical impact on an MTA than, say, a web server.",
  "id": "GHSA-c2c3-pqw5-5p7c",
  "modified": "2025-04-02T00:49:48Z",
  "published": "2025-04-01T22:23:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/phires/go-guerrilla/security/advisories/GHSA-c2c3-pqw5-5p7c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31135"
    },
    {
      "type": "WEB",
      "url": "https://github.com/phires/go-guerrilla/commit/7673947f2d5204a135d7ae0b7f80759e548abee6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/phires/go-guerrilla"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Go-Guerrilla SMTP Daemon allows the PROXY command to be sent multiple times"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.