CVE-2025-31135 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2025-31135 Interim 1 5 2026-03-05T01:09:40Z current 2025-04-04T23:11:59Z 2026-03-05T01:09:40Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2025-31135 Go-Guerrilla SMTP Daemon is a lightweight SMTP server written in Go. Prior to 1.6.7, when ProxyOn is enabled, the PROXY command will be accepted multiple times, with later invocations overriding earlier ones. The proxy protocol only supports one initial PROXY header; anything after that is considered part of the exchange between client and server, so the client is free to send further PROXY commands with whatever data it pleases. go-guerrilla will treat these as coming from the reverse proxy, allowing a client to spoof its IP address. This vulnerability is fixed in 1.6.7. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZBHJANMC5TN4MHLVGPYKJGT774IKFUQ3/ E-Mail link for openSUSE-SU-2025:14970-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-EC2 SUSE Linux Enterprise Server 16.0 openSUSE Tumbleweed cloud-init-25.1.3-slfo.1.1_1.1 cloud-init-config-suse-25.1.3-slfo.1.1_1.1 govulncheck-vulndb-0.0.20250402T160203-1.1 govulncheck-vulndb-0.0.20250814T182633-160000.1.2 cloud-init-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro cloud-init-config-suse-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro cloud-init-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro-Azure cloud-init-config-suse-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro-Azure cloud-init-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro-BYOS cloud-init-config-suse-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro-BYOS cloud-init-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro-BYOS-Azure cloud-init-config-suse-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro-BYOS-Azure cloud-init-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro-BYOS-EC2 cloud-init-config-suse-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro-BYOS-EC2 cloud-init-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro-EC2 cloud-init-config-suse-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro-EC2 govulncheck-vulndb-0.0.20250814T182633-160000.1.2 as a component of SUSE Linux Enterprise Server 16.0 govulncheck-vulndb-0.0.20250402T160203-1.1 as a component of openSUSE Tumbleweed Go-Guerrilla SMTP Daemon is a lightweight SMTP server written in Go. Prior to 1.6.7, when ProxyOn is enabled, the PROXY command will be accepted multiple times, with later invocations overriding earlier ones. The proxy protocol only supports one initial PROXY header; anything after that is considered part of the exchange between client and server, so the client is free to send further PROXY commands with whatever data it pleases. go-guerrilla will treat these as coming from the reverse proxy, allowing a client to spoof its IP address. This vulnerability is fixed in 1.6.7. CVE-2025-31135 Image SLE-Micro:cloud-init-25.1.3-slfo.1.1_1.1 Image SLE-Micro:cloud-init-config-suse-25.1.3-slfo.1.1_1.1 Image SLE-Micro-Azure:cloud-init-25.1.3-slfo.1.1_1.1 Image SLE-Micro-Azure:cloud-init-config-suse-25.1.3-slfo.1.1_1.1 Image SLE-Micro-BYOS:cloud-init-25.1.3-slfo.1.1_1.1 Image SLE-Micro-BYOS:cloud-init-config-suse-25.1.3-slfo.1.1_1.1 Image SLE-Micro-BYOS-Azure:cloud-init-25.1.3-slfo.1.1_1.1 Image SLE-Micro-BYOS-Azure:cloud-init-config-suse-25.1.3-slfo.1.1_1.1 Image SLE-Micro-BYOS-EC2:cloud-init-25.1.3-slfo.1.1_1.1 Image SLE-Micro-BYOS-EC2:cloud-init-config-suse-25.1.3-slfo.1.1_1.1 Image SLE-Micro-EC2:cloud-init-25.1.3-slfo.1.1_1.1 Image SLE-Micro-EC2:cloud-init-config-suse-25.1.3-slfo.1.1_1.1 SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250402T160203-1.1 moderate