Home > Vulnerability Database > CVE-2025-31135

Mend.io Vulnerability Database

CVE-2025-31135

Good to know:

Date: April 1, 2025

Go-Guerrilla SMTP Daemon is a lightweight SMTP server written in Go. Prior to 1.6.7, when ProxyOn is enabled, the PROXY command will be accepted multiple times, with later invocations overriding earlier ones. The proxy protocol only supports one initial PROXY header; anything after that is considered part of the exchange between client and server, so the client is free to send further PROXY commands with whatever data it pleases. go-guerrilla will treat these as coming from the reverse proxy, allowing a client to spoof its IP address. This vulnerability is fixed in 1.6.7.

Severity Score

5.3

Related Resources (5)

Url: https://github.com/phires/go-guerrilla

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-31135

Url: https://github.com/phires/go-guerrilla/security/advisories/GHSA-c2c3-pqw5-5p7c

Url: https://github.com/phires/go-guerrilla/commit/7673947f2d5204a135d7ae0b7f80759e548abee6

Url: https://www.mend.io/vulnerability-database/CVE-2025-31135

Severity Score

5.3

Weakness Type (CWE)

Improper Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version github.com/phires/go-guerrilla - v1.6.7;https://github.com/phires/go-guerrilla.git - v1.6.7

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-31135

Good to know:

Date: April 1, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?