CVE-2025-31135: 
vulnerability analysis and mitigation

Go-Guerrilla SMTP Daemon, a lightweight SMTP server written in Go, was found to have a vulnerability prior to version 1.6.7. When ProxyOn is enabled, the PROXY command could be accepted multiple times, with later invocations overriding earlier ones. This vulnerability was discovered on April 1, 2025, and was assigned CVE-2025-31135 (NVD, GitHub Advisory).

The vulnerability stems from improper handling of the PROXY protocol implementation. While the proxy protocol only supports one initial PROXY header, the server incorrectly accepts subsequent PROXY commands as part of the client-server exchange. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility with low attack complexity and no required privileges or user interaction (GitHub Advisory).

The vulnerability allows a client to spoof its IP address when the proxy protocol is being used. While the impact is primarily limited to spoofing the RemoteIP field, this has less practical impact on a Mail Transfer Agent (MTA) compared to a web server, but still presents a security risk (GitHub Advisory).

The vulnerability has been fixed in version 1.6.7 of Go-Guerrilla SMTP Daemon. Users are advised to upgrade to this version or later. The fix includes proper validation of PROXY headers and prevents multiple PROXY commands from being accepted (GitHub Commit).